Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09-04-2024 15:37
General
-
Target
2024-04-09_aa0584f546964c4a1a40c9ce946169f5_mafia.exe
-
Size
486KB
-
MD5
aa0584f546964c4a1a40c9ce946169f5
-
SHA1
ede263c4965297af051156707da4af38df0c7c00
-
SHA256
385e7a46e5e1bcfa4f466f8fc8fc2a48cec1c87e85e062eb45d758aaad9e2faa
-
SHA512
e37f54151f8cfaa56fac5674e46c092e796e05b087ef97c8943a4589e61cc0817c8b7ad807c6903a4a2ffe4b2f9da5a83abc3c62821a6a56748fdd7a444d2f65
-
SSDEEP
6144:pRPu8zwpAoYCZrIik3tHM+Yt7gCWnrMi9xbzaWmPxzdNAs/IdOEdIeMKZsH2fG:pUrIik3KP7Grz9pa95XbsOIIBUG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-09_aa0584f546964c4a1a40c9ce946169f5_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-09_aa0584f546964c4a1a40c9ce946169f5_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3316.tmp"C:\Users\Admin\AppData\Local\Temp\3316.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-04-09_aa0584f546964c4a1a40c9ce946169f5_mafia.exe BC7711427BAF2D9E24D5650027E7EAC6CC358A175E2B0333DEEC53A0A3F01EE9ABD571D52E788087094A7F1EEA4FD2D0C50A01DCA299CC8EA1F61CD0CAE170DB2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-04-09_aa0584f546964c4a1a40c9ce946169f5_mafia.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD57079891932a64f097abafd233055a1e9
SHA1246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA5126e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a
-
Filesize
486KB
MD50127d4f0bce68eb45e35b2f740803729
SHA1189ed6f6c0127fa9306f70020627ede6191e59e9
SHA2568cd8f6110dfb6ef59dacbca079e71b8254e400f98cc912e3cb8268982b1f191c
SHA512ae3f4171cfb2bae8ab3a3a3d6afb5ab5ef0b60b7a2e59f471005a14b7f53289162fadc05dc978c097cb141c112da0a98bcd2f4b1bd8e689ad0885c5d447dac9d
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB