Analysis
-
max time kernel
93s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 16:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe
-
Size
549KB
-
MD5
61baabd3480b2985f9df8d77a4a5b7f8
-
SHA1
42e2a1ee4abc2a975732eb11ccea700f1f0fb46f
-
SHA256
a65c9ccabb00b7d75c54d16b09fe27dd9cdea8ec00921a423adcd2b23c9c2ff4
-
SHA512
611fa2eb6a4f8b4c05c6e6656ab35d9c3bf58e615438d2791983e5005fd0235e942fd1d1e62b2fe852c3a689430f3c892ae3eb3b14a00a763d2b015ba0072559
-
SSDEEP
12288:Z+QhIge+c1e7NR5rq2z9bZBnml/WkjtQhbYjtj:cQIiUehR5rN9FMvsitj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe -
Executes dropped EXE 2 IoCs
pid Process 5360 minidownload.exe 5924 DownLoadDlg.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\SogouDownLoad\html\css\down.css minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\btn_spr.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_set.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_spr.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_t.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\repair.html minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_min.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\img_sx.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\ico_close.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\bg_line.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif minidownload.exe File created C:\Program Files (x86)\SogouDownLoad\html\download.html minidownload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x00090000000233e4-2.dat nsis_installer_1 behavioral2/files/0x00090000000233e4-2.dat nsis_installer_2 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5924 DownLoadDlg.exe 5924 DownLoadDlg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2188 wrote to memory of 5360 2188 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 82 PID 2188 wrote to memory of 5360 2188 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 82 PID 2188 wrote to memory of 5360 2188 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 82 PID 2188 wrote to memory of 5924 2188 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 85 PID 2188 wrote to memory of 5924 2188 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 85 PID 2188 wrote to memory of 5924 2188 2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\minidownload.exeC:\Users\Admin\AppData\Local\Temp\\minidownload.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5360
-
-
C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe"C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=http%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DYRyEVuHeM45mBjjEUSPVUEJm8GF_McJfVdEjKPrgnocp6RPTnPFSKls2-N19zn1VFn9n9_QE91hsipUd8ZPGCKrHmAlohI-Z5xWab8-hdzEZwANlQSdM_SG1O7Kkpbde98B6SY4clrbMXmmkh16MZMnFugp9LyMZymoJGOaTh0xmq_3hQETA5LFYnXbqILusGMRyn1oqoQ-_IhNtWMXWFw..%26pcid%3D3422649212502276885%26w%3D1950%26filename%3DFirefox-setup-39.0.0.5659.exe%26extra%3D8_tencent%26downloadtype%3Dsoftware&iconurl=http%3A%2F%2Fimgstore.cdn.sogou.com%2Fv2%2Fthumb%2Fretype%2Fext%2Fjpg%2Fcls%2Fimagick%3Fappid%3D200504%26url%3Dhttp%3A%2F%2Fdl.app.sogou.com%2Fpc_logo%2F3422649212502276885.png&softname=%E7%81%AB%E7%8B%90%E6%B5%8F%E8%A7%88%E5%99%A8&softsize=41.4+MB2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
529KB
MD546339e5e0b54acec4be3b105ee123b36
SHA129963314f6b97d8511caadbf9b2b531ae9fd8344
SHA256a6192d7b0b7bce4648feda82506bfbd25f6e35299f4ca38a2d0952dfbe669dbb
SHA51272a07caf7ad0209400e6acba520594428560ebd81f4c7baa350392fb73b75a8907ce9b175088893d9de2bf0ad710ff2a5a3c0abb0add38fdf538ff6ce870a65c
-
Filesize
2KB
MD584db4fb862441444de44fc92f7872b28
SHA1e84789926527cfc0f07000720799266e7337ce85
SHA2562db706458c7b0b41021ef2f10549f4974f134f2d683f46ae4a78f49b97f981f1
SHA51239e4b7ace01af64248afcbebd01a1fb550dbb441ca9d083e0ad33cd8a7b859af86baf91d1ddfeb5fe6aafb07cfcbcfee69eb1b4d8016ad974126dbbf31bb3d7c
-
Filesize
4KB
MD5e50275eb17164ac5d97624940ab96a6e
SHA113ee435c49a781db1bebccfa33a8b0c28446ec86
SHA256afac1879d10be5235a4d074c9084e61aadff82aab839bacc96e39d103ba4f843
SHA5124f2cb13394555cd34ad2219740d342f71186c33409c3a69cc454486341b8cbc924e2b5d3208a86b45343dc1fccc2217beb0126fba467f920f014d94516dd0fbb
-
Filesize
2KB
MD570d3c5cc5e7561ae74683b1ce4530392
SHA146c09ecdd29f1ef35de4b4b3aea3854099910597
SHA25649c130fe7fd6e0d9b9e277383d7b977e2230a2986b311efa6c6e2152b46e26c4
SHA5123b02311524984112da93c8bbd09898532870017dcc5c3da1915e31fdf90d22a5bbed2f7328cd938a55c2b296c6ba5edee7fed7fafa6397a8f959c657c1b3b533
-
Filesize
1KB
MD535cbcf30c37a40b66a7bdd9520907213
SHA1f1d252908873ba61906535d7bf14ced37be2aabc
SHA2564ae4ea3c7949bffc51a37c6219a9612594c2c48e2b92bff2c5991162b9ce9e41
SHA512654a0edee6601c679780550a4d2c080f81acdaf19d470d26164d791f774f6b3efcbc294a9b3f481183f1cff2fe5c2542e4aa3307513ca3499dcd569d0fcb112d
-
Filesize
657B
MD50e0ac8352cd69f396f271fa32f3ab554
SHA1ed6d306a5033707f45477df3318a53d15b47cf43
SHA256c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c
SHA5125d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0
-
Filesize
232KB
MD58ee60bd9893bafd259db1189e6650bff
SHA1d3be976a5a7519f0c608b3f542b9df622ad14a97
SHA256a40a56b1dc70cb7347635f17a79f03aa71a048a0ebbdff4ad54bfdff8c3e9a6d
SHA51278492aca8d2d7201d983eaa94637c80d6adcd915f12e5085aedfa7f186cfb98c20e53414fd8a3cc2f3477482a8dfba166c308f199a825d143af6c520d3db40a7