Analysis

  • max time kernel
    93s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2024 16:24

General

  • Target

    2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe

  • Size

    549KB

  • MD5

    61baabd3480b2985f9df8d77a4a5b7f8

  • SHA1

    42e2a1ee4abc2a975732eb11ccea700f1f0fb46f

  • SHA256

    a65c9ccabb00b7d75c54d16b09fe27dd9cdea8ec00921a423adcd2b23c9c2ff4

  • SHA512

    611fa2eb6a4f8b4c05c6e6656ab35d9c3bf58e615438d2791983e5005fd0235e942fd1d1e62b2fe852c3a689430f3c892ae3eb3b14a00a763d2b015ba0072559

  • SSDEEP

    12288:Z+QhIge+c1e7NR5rq2z9bZBnml/WkjtQhbYjtj:cQIiUehR5rN9FMvsitj

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-29_61baabd3480b2985f9df8d77a4a5b7f8_mafia.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
      C:\Users\Admin\AppData\Local\Temp\\minidownload.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:5360
    • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
      "C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=http%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DYRyEVuHeM45mBjjEUSPVUEJm8GF_McJfVdEjKPrgnocp6RPTnPFSKls2-N19zn1VFn9n9_QE91hsipUd8ZPGCKrHmAlohI-Z5xWab8-hdzEZwANlQSdM_SG1O7Kkpbde98B6SY4clrbMXmmkh16MZMnFugp9LyMZymoJGOaTh0xmq_3hQETA5LFYnXbqILusGMRyn1oqoQ-_IhNtWMXWFw..%26pcid%3D3422649212502276885%26w%3D1950%26filename%3DFirefox-setup-39.0.0.5659.exe%26extra%3D8_tencent%26downloadtype%3Dsoftware&iconurl=http%3A%2F%2Fimgstore.cdn.sogou.com%2Fv2%2Fthumb%2Fretype%2Fext%2Fjpg%2Fcls%2Fimagick%3Fappid%3D200504%26url%3Dhttp%3A%2F%2Fdl.app.sogou.com%2Fpc_logo%2F3422649212502276885.png&softname=%E7%81%AB%E7%8B%90%E6%B5%8F%E8%A7%88%E5%99%A8&softsize=41.4+MB
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe

    Filesize

    529KB

    MD5

    46339e5e0b54acec4be3b105ee123b36

    SHA1

    29963314f6b97d8511caadbf9b2b531ae9fd8344

    SHA256

    a6192d7b0b7bce4648feda82506bfbd25f6e35299f4ca38a2d0952dfbe669dbb

    SHA512

    72a07caf7ad0209400e6acba520594428560ebd81f4c7baa350392fb73b75a8907ce9b175088893d9de2bf0ad710ff2a5a3c0abb0add38fdf538ff6ce870a65c

  • C:\Program Files (x86)\SogouDownLoad\html\css\down.css

    Filesize

    2KB

    MD5

    84db4fb862441444de44fc92f7872b28

    SHA1

    e84789926527cfc0f07000720799266e7337ce85

    SHA256

    2db706458c7b0b41021ef2f10549f4974f134f2d683f46ae4a78f49b97f981f1

    SHA512

    39e4b7ace01af64248afcbebd01a1fb550dbb441ca9d083e0ad33cd8a7b859af86baf91d1ddfeb5fe6aafb07cfcbcfee69eb1b4d8016ad974126dbbf31bb3d7c

  • C:\Program Files (x86)\SogouDownLoad\html\download.html

    Filesize

    4KB

    MD5

    e50275eb17164ac5d97624940ab96a6e

    SHA1

    13ee435c49a781db1bebccfa33a8b0c28446ec86

    SHA256

    afac1879d10be5235a4d074c9084e61aadff82aab839bacc96e39d103ba4f843

    SHA512

    4f2cb13394555cd34ad2219740d342f71186c33409c3a69cc454486341b8cbc924e2b5d3208a86b45343dc1fccc2217beb0126fba467f920f014d94516dd0fbb

  • C:\Program Files (x86)\SogouDownLoad\html\images\btn_spr.gif

    Filesize

    2KB

    MD5

    70d3c5cc5e7561ae74683b1ce4530392

    SHA1

    46c09ecdd29f1ef35de4b4b3aea3854099910597

    SHA256

    49c130fe7fd6e0d9b9e277383d7b977e2230a2986b311efa6c6e2152b46e26c4

    SHA512

    3b02311524984112da93c8bbd09898532870017dcc5c3da1915e31fdf90d22a5bbed2f7328cd938a55c2b296c6ba5edee7fed7fafa6397a8f959c657c1b3b533

  • C:\Program Files (x86)\SogouDownLoad\html\images\ico_t.gif

    Filesize

    1KB

    MD5

    35cbcf30c37a40b66a7bdd9520907213

    SHA1

    f1d252908873ba61906535d7bf14ced37be2aabc

    SHA256

    4ae4ea3c7949bffc51a37c6219a9612594c2c48e2b92bff2c5991162b9ce9e41

    SHA512

    654a0edee6601c679780550a4d2c080f81acdaf19d470d26164d791f774f6b3efcbc294a9b3f481183f1cff2fe5c2542e4aa3307513ca3499dcd569d0fcb112d

  • C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif

    Filesize

    657B

    MD5

    0e0ac8352cd69f396f271fa32f3ab554

    SHA1

    ed6d306a5033707f45477df3318a53d15b47cf43

    SHA256

    c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c

    SHA512

    5d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0

  • C:\Users\Admin\AppData\Local\Temp\minidownload.exe

    Filesize

    232KB

    MD5

    8ee60bd9893bafd259db1189e6650bff

    SHA1

    d3be976a5a7519f0c608b3f542b9df622ad14a97

    SHA256

    a40a56b1dc70cb7347635f17a79f03aa71a048a0ebbdff4ad54bfdff8c3e9a6d

    SHA512

    78492aca8d2d7201d983eaa94637c80d6adcd915f12e5085aedfa7f186cfb98c20e53414fd8a3cc2f3477482a8dfba166c308f199a825d143af6c520d3db40a7

  • memory/5924-19-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

    Filesize

    4KB

  • memory/5924-25-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

    Filesize

    4KB