7596b7db23102c806efb97df132bb8c7faf443725df5d1e7bc0cf34a9cef7676 | Triage

Analysis

max time kernel
140s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 07:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
Size

3.6MB
MD5

ffd14891320a3971f9915c82d3de6da4
SHA1

739512ea3a4e690c68dd154a6e4e66f44be7a8cc
SHA256

7596b7db23102c806efb97df132bb8c7faf443725df5d1e7bc0cf34a9cef7676
SHA512

7a30a2a419bf9fde00a9cbfb1729a177893886550bb9dac2dd7e1a85ca6cdfdb60cdaf3c7428621cc85fe0ffa02cc9cbab69462e61197828272e25a7f94ce99b
SSDEEP

49152:sm8CGs4YEvhDiLXq/jCwuvi7XRYiTWTKOj/One8knPTheUy9op7vxTbM6DrzXkTw:58ds4YaM5a7XRr6KOj/j8knTjw6Dnil

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\S:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\U:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\E:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\F:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\G:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\L:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\Y:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\D:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\K:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\N:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\O:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\X:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\H:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\J:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\Q:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\V:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\T:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\W:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\Z:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\I:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\M:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\P:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
File opened (read-only)	\??\R:	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_ffd14891320a3971f9915c82d3de6da4_mafia.exe"
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads