52529b4cc4f65ce2060b0c67d42b3a1d041c62851d5958231542b564ad5f6ebc

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe
Size

3.4MB
MD5

f3ee673f86e2e694a6fb5da1c003e524
SHA1

cca201abd94149973d3e4a7cacbeb404e2f9ad6b
SHA256

52529b4cc4f65ce2060b0c67d42b3a1d041c62851d5958231542b564ad5f6ebc
SHA512

29c5590d9f5eaa700e22a8ecde28cb2ec7d7126399d84d16ffc84157d1601eabc99915880ba5dfdf24a185d3107843009d49779100e4e5f11b0b6cf6f62cbc3b
SSDEEP

98304:GbWKy0Q45kXxL3ch6iq/4cQjU/P4/Hx2K4Ye+9pPjtSEYBx1:lC6YcQQow6e+9pPjtPW

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe
2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe
2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1932	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	28
PID 2256 wrote to memory of 1932	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	28
PID 2256 wrote to memory of 1932	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	28
PID 2256 wrote to memory of 1932	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	28
PID 2256 wrote to memory of 2668	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	32
PID 2256 wrote to memory of 2668	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	32
PID 2256 wrote to memory of 2668	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	32
PID 2256 wrote to memory of 2668	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	32
PID 2668 wrote to memory of 2512	2668	cmd.exe	34
PID 2668 wrote to memory of 2512	2668	cmd.exe	34
PID 2668 wrote to memory of 2512	2668	cmd.exe	34
PID 2668 wrote to memory of 2512	2668	cmd.exe	34
PID 2512 wrote to memory of 2536	2512	net.exe	35
PID 2512 wrote to memory of 2536	2512	net.exe	35
PID 2512 wrote to memory of 2536	2512	net.exe	35
PID 2512 wrote to memory of 2536	2512	net.exe	35
PID 2256 wrote to memory of 496	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	36
PID 2256 wrote to memory of 496	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	36
PID 2256 wrote to memory of 496	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	36
PID 2256 wrote to memory of 496	2256	2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe	36
PID 496 wrote to memory of 828	496	cmd.exe	38
PID 496 wrote to memory of 828	496	cmd.exe	38
PID 496 wrote to memory of 828	496	cmd.exe	38
PID 496 wrote to memory of 828	496	cmd.exe	38
PID 828 wrote to memory of 2172	828	net.exe	39
PID 828 wrote to memory of 2172	828	net.exe	39
PID 828 wrote to memory of 2172	828	net.exe	39
PID 828 wrote to memory of 2172	828	net.exe	39

C:\Users\Admin\AppData\Local\Temp\2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_f3ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C: & cd C:\Users\Admin\AppData\Local\Temp\ee673f86e2e694a6fb5da1c003e524_mafia_revil.exe & sysmon64 -accepteula -i -n
  2⤵
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net start sysmon64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\net.exe
    net start sysmon64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start sysmon64
      4⤵
      PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net start sysmon64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\SysWOW64\net.exe
    net start sysmon64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start sysmon64
      4⤵
      PID:2172

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads