5eb907137ff78e760ac0c286ad4b95285445403da23aeb28808c7faa2bd2843b

General

Target

2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe
Size

1.2MB
MD5

07ba5e4fb8b5ecdb139cd67f97eeb39e
SHA1

341b713dd9a291a371bf85fdf7e0da08803347ec
SHA256

5eb907137ff78e760ac0c286ad4b95285445403da23aeb28808c7faa2bd2843b
SHA512

4c22d9f8563e1ccaaef00aaf701a58c51c792cf0beba1bbbe9d1306a68a8603b3a551fa1d6d6549f282cb32865e4b695a98f561dfa91a43c1b2c539387a50b37
SSDEEP

24576:U1QfopqgQJXi6kgaINVD4W7CS7YsXDV6YkHzr9jWp04j2+b6eh7BGOjbvD/+Xbdx:U1wgsXiTcNV7CS7bkY8xWa4j2Y6edDmD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	tmppack.exe

Loads dropped DLL 2 IoCs

pid	Process
2968	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe
2968	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2968	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe
2968	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2704	2968	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe	28
PID 2968 wrote to memory of 2704	2968	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe	28
PID 2968 wrote to memory of 2704	2968	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe	28
PID 2968 wrote to memory of 2704	2968	2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_07ba5e4fb8b5ecdb139cd67f97eeb39e_mafia.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\VLKYWAVTPTSGT\tmppack.exe
  -y
  2⤵
  - Executes dropped EXE
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05ywp23\gui\3107.html

Filesize
7KB

MD5
28ef3c36b4106acff00c0e98fe57dde6

SHA1
fae54627acbac037ab3e591d9c063265e1d826a3

SHA256
7e767bd8e3ad1ad5737f2c0afeadf276a3a70fef1306fca2bd387ef3ec5be71c

SHA512
c0188b8a421d00fee1a8efe7de05cb0a4599a7ea1b5c3b78db78ef6e661acd75d944d97f25c8677ec0757cc5b90101564338ee222863d86b4188027e375bdd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\05ywp23\gui\events\cav.xml

Filesize
1KB

MD5
53db8144c2937638ab55fbee6dc0cc71

SHA1
47ebda58e209e18c46ca0bd974775b3a7489d1d1

SHA256
fcbaf17f3d3d9ed76c37252a6fba06e740678034edf1d741564de22e6e4f1a33

SHA512
10709f9fd2bae525de8976562937490a8cc967c754c64e9a97f43b93b17d6707eb3c527ac3240c2daebc9cb9204c565dd5a3ad62e14e143a0ec0e80807564899

Download Submit
C:\Users\Admin\AppData\Local\Temp\VLKYWAVTPTSGT\installer.pak

Filesize
1.6MB

MD5
a4a7f8cb2dbefe97901cf657f6ed5ca4

SHA1
3b297cd14d8844b6da442557b0d82d1f2e888b22

SHA256
babacf1ca8865e86ea715364c43b24c1e450a094cab0852dec1b3e26a42978a2

SHA512
bf7373cf77597b0aa6619cfe2186f4f2f2672ed8f5985797918477b78450358dd1bfd053976f8953563af2bc706fb6b7125da61c37cc999397ee34f917f96e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\VLKYWAVTPTSGT\tmppack.exe

Filesize
716KB

MD5
d2f31d4bcb2f93e137eed54a8f4c8874

SHA1
28bf2717bfda88a3e93906c720065cde847b1487

SHA256
473ab84307c6d9cc7907598705dd2704360557c0ba0becf5a090b269a81d087c

SHA512
d347d271d053c960f895c31a2396d333f05b2792545f20e60cc5c15440e98a7a7c80813346787a980434c6394c33d00be16c0c20f73a9c0551e45f563c5e5b84

Download Submit
memory/2968-13-0x00000000023C0000-0x000000000255D000-memory.dmp

Filesize
1.6MB

Download
memory/2968-83-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2968-158-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing