db4f3f120dab9aa0ba21a219d5d0bdb330692fa790b2dbf798325abab9e7e25e

General

Target

2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.exe
Size

457KB
MD5

c92fce7f0e9d769ce7e9f39de27c16a7
SHA1

1a123da69a8d586bc3674ff1e8122e92e2dde588
SHA256

db4f3f120dab9aa0ba21a219d5d0bdb330692fa790b2dbf798325abab9e7e25e
SHA512

1322bda390c34570641ae93e0dc9b7857df81bb9dc91ed6ae3373a24fc45da3cffee351bb622a99e6599c4ac4fbe89596dc29a30a689f0b7e4abd052a51a9bce
SSDEEP

12288:frF2600C97lFGnS+m4Sow/sb6lKspsHGJeU:fro6s9ynhzS86VpLM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2248	E24.tmp

Loads dropped DLL 1 IoCs

pid	Process
2252	2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2484	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2248	E24.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2248	2252	2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.exe	28
PID 2252 wrote to memory of 2248	2252	2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.exe	28
PID 2252 wrote to memory of 2248	2252	2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.exe	28
PID 2252 wrote to memory of 2248	2252	2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.exe	28
PID 2248 wrote to memory of 2484	2248	E24.tmp	29
PID 2248 wrote to memory of 2484	2248	E24.tmp	29
PID 2248 wrote to memory of 2484	2248	E24.tmp	29
PID 2248 wrote to memory of 2484	2248	E24.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\E24.tmp
  "C:\Users\Admin\AppData\Local\Temp\E24.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.exe 0931BE8FBA64F65B8D4B0603C1DC10CE78B2C080769CCD9DA8421F68ABB2D72F484C4832C93AB3D3A5D0FDDA550BE966E87D57C17E27416EE981E7056476E87F
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-04-22_c92fce7f0e9d769ce7e9f39de27c16a7_mafia.docx

Filesize
140KB

MD5
e90e498009a13ae957dcde4e01065e7d

SHA1
dcb4cc9b7d1ed3becc625597422d60aaf068a759

SHA256
ca91bbd477e2a516997c48dde3da1a5eae4cad86ca664fea54f0103739073c94

SHA512
4d0868f653e6c57d4011430ab81688f4f039550a9a0b5b1ce5ab1a695cb1dca7d7cdfb1d7c3920c35bbd3a8b441c820f00ae4e71f749650545ddd6894d597766

Download Submit
C:\Users\Admin\AppData\Local\Temp\E24.tmp

Filesize
457KB

MD5
a8d8ff17becd5b3fff8b2104a645a560

SHA1
fe440fe20aa31ff3c555d14dc810e77e3c9e9c6a

SHA256
3547c533ee929ac0cd49ff0b2abb79ffc9183518441bcf4800a6a2dd84d0373d

SHA512
d86b13601798aa7588019d3103856a2dfa2e440eaa169273cd722258165d46f28332e089e4b78baa21b767573995409e2a7b6951d73d9c058a72f663287ca5ed

Download Submit
memory/2484-7-0x000000002F541000-0x000000002F542000-memory.dmp

Filesize
4KB

Download
memory/2484-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2484-9-0x0000000070D0D000-0x0000000070D18000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing