Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.exe
-
Size
486KB
-
MD5
880524e15cf0fa1f4a87b55d7dda6b96
-
SHA1
47cd6d5778f0f631606fe0d1a8fd3b0af65eb7ab
-
SHA256
09089219b55c8ca1fa3f3a11423867660225f22640b4d20b987185b2fb876e28
-
SHA512
11180c362954913594a5d40c89668ddfd306034b12f478d7e28485f842a75924322edb4f7b8dad8b043874457aa34436b02717eaf9c275029fec5d40d1832eb3
-
SSDEEP
6144:pRPuZzNIAZYMZrIik3tHDvBE+2qgrYhpT00ZiKNvHyyRZiaafI9sH2f9:pwrIik35BE+R8YnpiuvroVU9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation 3028.tmp -
Executes dropped EXE 1 IoCs
pid Process 3508 3028.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings 3028.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5100 WINWORD.EXE 5100 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3508 3028.tmp -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4740 wrote to memory of 3508 4740 2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.exe 85 PID 4740 wrote to memory of 3508 4740 2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.exe 85 PID 4740 wrote to memory of 3508 4740 2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.exe 85 PID 3508 wrote to memory of 5100 3508 3028.tmp 93 PID 3508 wrote to memory of 5100 3508 3028.tmp 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\3028.tmp"C:\Users\Admin\AppData\Local\Temp\3028.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.exe E947C28302B09FF5E8B8C26DBDCBA53A7BCBDFB38F5761EFD14BC504237C90D8409C91C36B803D69DC34B4958B7165565808EED1D96F7A96D4CDC19375A4D1232⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-04-26_880524e15cf0fa1f4a87b55d7dda6b96_mafia.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5100
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD57079891932a64f097abafd233055a1e9
SHA1246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA5126e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a
-
Filesize
486KB
MD5a32b01271952732312064d99c3aae870
SHA1ba7484a93b6f8bb1455163e8348a5f5d7846db42
SHA25676d6206f9dd4f4ee1f42d65654fadefc8960521f75614d9a030efc1d52875156
SHA512688785a4ba5e8fabc8ace1490622b37f63ce920603e1b35b39fd89b71bf444dd27ab28dd382c2598aa5cc06f7169fc86460c51acc76d860005fd43ad077e8728