9124b063040bddffce50a5b767fd45254a7ab24cba65bff7da2e73a9f2f30407

General

Target

2024-05-27_86fc81c02fca59f6ec4a776559c44120_mafia.exe
Size

447KB
MD5

86fc81c02fca59f6ec4a776559c44120
SHA1

8d4a9bae1cb62b93708a35f5325d7afb5dd08f6a
SHA256

9124b063040bddffce50a5b767fd45254a7ab24cba65bff7da2e73a9f2f30407
SHA512

4d3bdff5fb54caab35e0fb78c7bd2eaf15ec64bb769d3493c0fa53632e339a038fdeaab4d6b0c656b339d71356234b17c375890f959f9c23d4921ac66ab97f68
SSDEEP

12288:w/rYpa1hoj5jsRObPBvlpqznW8VKN3ubY1:wzYpacj5gRObP93qzChubS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	5999.tmp

Executes dropped EXE 1 IoCs

pid	Process
2304	5999.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	5999.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2524	WINWORD.EXE
2524	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2304	5999.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 2304	4392	2024-05-27_86fc81c02fca59f6ec4a776559c44120_mafia.exe	85
PID 4392 wrote to memory of 2304	4392	2024-05-27_86fc81c02fca59f6ec4a776559c44120_mafia.exe	85
PID 4392 wrote to memory of 2304	4392	2024-05-27_86fc81c02fca59f6ec4a776559c44120_mafia.exe	85
PID 2304 wrote to memory of 2524	2304	5999.tmp	90
PID 2304 wrote to memory of 2524	2304	5999.tmp	90

C:\Users\Admin\AppData\Local\Temp\2024-05-27_86fc81c02fca59f6ec4a776559c44120_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_86fc81c02fca59f6ec4a776559c44120_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\5999.tmp
  "C:\Users\Admin\AppData\Local\Temp\5999.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-05-27_86fc81c02fca59f6ec4a776559c44120_mafia.exe 9A6B94B49568EE4F937B977FDA645CA0F8FEC0177908EE01FF89E180D615E152769A54ACDCCBE3C60B80868ADC0D02890F9D441C79DA0BCB6E9A984CB556BD77
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-05-27_86fc81c02fca59f6ec4a776559c44120_mafia.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-05-27_86fc81c02fca59f6ec4a776559c44120_mafia.doc

Filesize
16KB

MD5
154788a16dea87853dfcbd117f849b55

SHA1
7d36995eb72700adf612129d558b5ace385d672f

SHA256
0bc7a2c149ae6ddb143281c277785f10fda4ff6a75c6c73b862108ee22aafa75

SHA512
5ad5a1a841c5b39f161a9b8bd929a16d21777289e07c10e8cf867e03a78471a5695e806b541569101c41a8bd01b551cb7f06d1ce01b99f2d72bd9994b6cca79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5999.tmp

Filesize
447KB

MD5
2bf71cdcf0400af55a622059f5eb77bc

SHA1
128a3a5e980ff84398d880ad7b9959e484c4cf2e

SHA256
1a48082704f1a6988b95224ffb864ae3183c80733138351d1fb7050cfa07706e

SHA512
9eb07fdd333073bd5458a56b5302e55608717590e472afe9a41537196a09b99f1d0f190b654bf0bf24b8cb51189ed81af5ce47433465b1816124065a648a7681

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA6B0.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
memory/2524-26-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-25-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-17-0x00007FFC9D310000-0x00007FFC9D320000-memory.dmp

Filesize
64KB

Download
memory/2524-16-0x00007FFC9D310000-0x00007FFC9D320000-memory.dmp

Filesize
64KB

Download
memory/2524-18-0x00007FFCDD32D000-0x00007FFCDD32E000-memory.dmp

Filesize
4KB

Download
memory/2524-19-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-21-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-23-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-22-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-24-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-27-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-14-0x00007FFC9D310000-0x00007FFC9D320000-memory.dmp

Filesize
64KB

Download
memory/2524-28-0x00007FFC9B2B0000-0x00007FFC9B2C0000-memory.dmp

Filesize
64KB

Download
memory/2524-15-0x00007FFC9D310000-0x00007FFC9D320000-memory.dmp

Filesize
64KB

Download
memory/2524-20-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-30-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-32-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-34-0x00007FFC9B2B0000-0x00007FFC9B2C0000-memory.dmp

Filesize
64KB

Download
memory/2524-33-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-31-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-29-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-13-0x00007FFC9D310000-0x00007FFC9D320000-memory.dmp

Filesize
64KB

Download
memory/2524-529-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download
memory/2524-549-0x00007FFC9D310000-0x00007FFC9D320000-memory.dmp

Filesize
64KB

Download
memory/2524-552-0x00007FFC9D310000-0x00007FFC9D320000-memory.dmp

Filesize
64KB

Download
memory/2524-551-0x00007FFC9D310000-0x00007FFC9D320000-memory.dmp

Filesize
64KB

Download
memory/2524-550-0x00007FFC9D310000-0x00007FFC9D320000-memory.dmp

Filesize
64KB

Download
memory/2524-553-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads