673aa85cb6448f7169724bce79a7eb418306b97acc4e5fa0f98ad6c6772a7707

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-07_865a2c116652b7856857732c181693ff_mafia_revil.exe
Size

14.4MB
MD5

865a2c116652b7856857732c181693ff
SHA1

cf4a02c5a78657d67984b09cccca93ee8d1ddd92
SHA256

673aa85cb6448f7169724bce79a7eb418306b97acc4e5fa0f98ad6c6772a7707
SHA512

8ea89c29804a469c50e16b4a167a1e7d2c13e3dad2684255edf6f1cc1afe4e5f6dd8eb31673e1151439d26169615f6b7efe8c99e66c839eef56e0d76509b38b1
SSDEEP

393216:1VyxYtON/uEoo9VvHO3/M/bZIo07opsu30d2N5cj8gwEYXvx1YHjxvmdqz+GtxAO:1EOtON/uEoo9VvHO3/M/bZIo07opsu30

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4424	2024-05-07_865a2c116652b7856857732c181693ff_mafia_revil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2920	4424	WerFault.exe	82

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	2024-05-07_865a2c116652b7856857732c181693ff_mafia_revil.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	2024-05-07_865a2c116652b7856857732c181693ff_mafia_revil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4424	2024-05-07_865a2c116652b7856857732c181693ff_mafia_revil.exe
4424	2024-05-07_865a2c116652b7856857732c181693ff_mafia_revil.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-07_865a2c116652b7856857732c181693ff_mafia_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-07_865a2c116652b7856857732c181693ff_mafia_revil.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1480
  2⤵
  - Program crash
  PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pandora.ini

Filesize
19B

MD5
3f8f9b9de078b663a74c860f4f08f9a7

SHA1
40d948b6c6f17e67bd561c6544ff421c5e81dbbc

SHA256
f389de4738326264abbb27bc27ad4510373ea9ba37785acbd2736fadb56e0bd4

SHA512
c88777ec5e6582ded83102fdf8ae8c44e801cc4b1a4dd0a529a9c6c39c51a7c626f6ea620fae1a58e7cd1807b994b4cee9b73d5686d70a9f9573ff48cffdf644

Download Submit
memory/4424-15-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download