Analysis

  • max time kernel
    2s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 16:22

Errors

Reason
Machine shutdown

General

  • Target

    2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe

  • Size

    486KB

  • MD5

    ff1b04dac9fc38e6c6447935348df6c0

  • SHA1

    d85500146f62a8b35e4f2dd7f2f0db37e46e0856

  • SHA256

    398df32ac6aecb1df14e99719da96ca8018bf86048513a5a1891569e9bc3337f

  • SHA512

    1c62dab7b5a3e5903588fff43d8c0554ca5e16048f8bbe2ebf3e94bf8e9ec4e0af8819e87c860f824c2fb4134172a07176df2fac49cf4fa1cac2ddd0ade97e89

  • SSDEEP

    12288:pNrIik39CxP94TcFNhoTPbw0ZDy0WMxSU/:pNrU39Cx1vFNuTTwAy0WMU8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\C40.tmp
      "C:\Users\Admin\AppData\Local\Temp\C40.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.exe 79C932DC69B9B4D6C2245A0DFDF2A950E4B76CA89ABAE2749AA32F74C53BBADE894FB86F54A977F70237B9CDD14E172E0DB1BA88E6253DC08A6E71DE3B4A9AE5
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: RenamesItself
      PID:1804
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-04-29_ff1b04dac9fc38e6c6447935348df6c0_mafia.docx"
        3⤵
          PID:2124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\C40.tmp

      Filesize

      486KB

      MD5

      4470a78deda7b98dec437b78d3e1f321

      SHA1

      ffa923ca0dacbf2994779323ea9fd5e345d83f9c

      SHA256

      506ee9108176b8eafae70ac43c52a0f331e9fc2be40820faf7bf80634056fdfc

      SHA512

      0b55ac2074681e8f0ebffc3c45ea8a2fe9fdaa69cecc8010f3391e6d5780924f770bcf1b5daeea77a2a183afdafdb7cb328701415b29d3fcdc61c277f50f5eb5

    • memory/1804-8-0x0000000001070000-0x00000000010F2000-memory.dmp

      Filesize

      520KB

    • memory/2760-0-0x00000000001D0000-0x0000000000252000-memory.dmp

      Filesize

      520KB

    • memory/2760-4-0x00000000004B0000-0x0000000000532000-memory.dmp

      Filesize

      520KB

    • memory/2760-7-0x00000000001D0000-0x0000000000252000-memory.dmp

      Filesize

      520KB