Analysis
-
max time kernel
2s -
max time network
1s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 16:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe
-
Size
486KB
-
MD5
ff1b04dac9fc38e6c6447935348df6c0
-
SHA1
d85500146f62a8b35e4f2dd7f2f0db37e46e0856
-
SHA256
398df32ac6aecb1df14e99719da96ca8018bf86048513a5a1891569e9bc3337f
-
SHA512
1c62dab7b5a3e5903588fff43d8c0554ca5e16048f8bbe2ebf3e94bf8e9ec4e0af8819e87c860f824c2fb4134172a07176df2fac49cf4fa1cac2ddd0ade97e89
-
SSDEEP
12288:pNrIik39CxP94TcFNhoTPbw0ZDy0WMxSU/:pNrU39Cx1vFNuTTwAy0WMU8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1804 C40.tmp -
Loads dropped DLL 1 IoCs
pid Process 2760 2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1804 C40.tmp -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2760 wrote to memory of 1804 2760 2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe 28 PID 2760 wrote to memory of 1804 2760 2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe 28 PID 2760 wrote to memory of 1804 2760 2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe 28 PID 2760 wrote to memory of 1804 2760 2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\C40.tmp"C:\Users\Admin\AppData\Local\Temp\C40.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe 79C932DC69B9B4D6C2245A0DFDF2A950E4B76CA89ABAE2749AA32F74C53BBADE894FB86F54A977F70237B9CDD14E172E0DB1BA88E6253DC08A6E71DE3B4A9AE52⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
PID:1804 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.docx"3⤵PID:2124
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
486KB
MD54470a78deda7b98dec437b78d3e1f321
SHA1ffa923ca0dacbf2994779323ea9fd5e345d83f9c
SHA256506ee9108176b8eafae70ac43c52a0f331e9fc2be40820faf7bf80634056fdfc
SHA5120b55ac2074681e8f0ebffc3c45ea8a2fe9fdaa69cecc8010f3391e6d5780924f770bcf1b5daeea77a2a183afdafdb7cb328701415b29d3fcdc61c277f50f5eb5