b1577a1a83f863db137f4e23b04c25a99e440646151035ecacbac6c95481629c

General

Target

2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Size

8.4MB
MD5

ffa4af7adf27bb1ccdbe20c49cfe2b92
SHA1

dffeaacc38c70d59b263095a38bbe0770c83ba56
SHA256

b1577a1a83f863db137f4e23b04c25a99e440646151035ecacbac6c95481629c
SHA512

dd4b5fe64fd3b095c0e117d539f671be82b18dc6a2b033da62f572e2dd0536e0954ab99509a62e13e46c5e930aba4ba207f7f33ca311db671b43ed24455d1121
SSDEEP

196608:nc0FPSFS3hbFWiI2R7yj04cBzbu+K955:ncUakxZxRd80tK955

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ed2k\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe"	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ed2k\ = "URL: ed2k Protocol"	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ed2k\shell\open\command	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ed2k\DefaultIcon	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ed2k\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe\" \"%1\""	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ed2k\URL Protocol	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ed2k	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ed2k\shell	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ed2k\shell\open	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
2236	2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_ffa4af7adf27bb1ccdbe20c49cfe2b92_mafia.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\eMule\config\Category.ini

Filesize
689B

MD5
5c89a37149e36ba57237288a4bc3984e

SHA1
f2c899f44304be949ea08be1b54724c6d3c05e01

SHA256
128e36cf7b65fef2e313b0f4b6a5cc2de4113a3e39a6d849d47f0da59521f8c0

SHA512
93e45319447a47d1f14687d7d9b4f6dd6ec4394010841c497581533368d2ce31b4c874594d80a4d916f081d667aa1f400a52c1a1371f6e864484d4bdfdb32eff

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\preferences.ini

Filesize
1KB

MD5
55a0ebb918a2059989f1db6d3e2229a0

SHA1
d350e0aa185518c64e9e8b4874791579edb097be

SHA256
713cbb132ecb762d65d016f392a237ab96e438b39974c98db6ce922a8017c4ad

SHA512
479c652659a3e2b31cf744a64ee872020a3d5f0bb74a09113a523d51c8fedf03968b4b45b66a2b32d4bc7b9f9772fdd75880e1a7eed23e2913e6623060b16be9

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\preferences.ini

Filesize
4KB

MD5
f2aaebc46c5b16aa457715c7e948c7b1

SHA1
f6a149b9610b2914502886bea861636d90fb0e6a

SHA256
c4c03794b025adef56f6cec3577011e9d124472745b3ab79f523559ecc9cc9ec

SHA512
90408d7509bc530e387a1d622bbad3469f68da4713c73cb719054a9f71803eb796c06694fe105a9e63e487c051ac204551cc5c63eff30780530e93300fcb630b

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\preferences.ini

Filesize
547B

MD5
2696fb85b8e93ffd2a52267706e8d549

SHA1
074400951274d397797ee4d7e9b94f928ec2d214

SHA256
b1571285ac60c35dd3cd358bf64f0c823db1e0946a68dd8d8160ab0e9ca8e249

SHA512
3d58edec75e6758c2eecbbd11a19a5b47261a0d4d011682ee7f91c86a5fcbd2f24580a5a44051161a9564684f93973911d225dda50caf1ba77aa1d9ab129ba4e

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\preferences.ini

Filesize
1KB

MD5
c22261d7e105777f025b7b281756ef89

SHA1
5ea19788f84ba7c00697f8196f38944ff16fa8ae

SHA256
002d673873dc44ed47bcb4d9c2094357007e19d630906f4aadcad689234e800d

SHA512
e54c78b11d85294c1077ae16b43cc2cda9bc2df616509c695810fa070593b8663322c46c6f7722ca6be17ceffa1711eb8bbd43e2e45817e9cfdf41946d535050

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\preferences.ini

Filesize
1KB

MD5
b6a1f85e34ce02771f66a6ef22df172a

SHA1
3a363b62698bb713307203db18d60c611a4ccde9

SHA256
a4eed9dc5cfb9b19ae1840b1bb322838a4dd9e7a02eee2252c94aa1d1174de9a

SHA512
6e81cee199d1ae452f0c59a278d3af86339c6aa9d4d0d94023f6f8ccd9faea7966a889916fed69d3128a207cbc2793a1d379be748f98b3c46611175b6a6ca250

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\statistics.ini

Filesize
1KB

MD5
610cf60759f05b367d3c7f4eb18cd666

SHA1
b7900838c7c5171552e031cd8a4c3322c08c8c63

SHA256
5219d729bdb01f46378ada7842d32a2319b5916005bcb4f90e3ee043133c89bb

SHA512
49ebe3c365b42a28b24741ed96f1049d234606a9f80c2f879f0aa11091766867bd8561d12707a2741f1fbbfec1ec7ca801ddde3240f37e83743ec7d25254ee0e

Download Submit
C:\Users\Admin\AppData\Local\eMule\config\statistics.ini

Filesize
1KB

MD5
a4bae34b325551fd10f4b0f88afbfb91

SHA1
0b0eec693ed4450ba8d4cd0e7c5f7f84ff7ccc12

SHA256
1be0f3cfde426934e996e44c0e6c1d9a5d033a0357caad2e907622a73c8a7d56

SHA512
5122a82662d33d223924652e9d2ca1dfbfb30352969bf1a160f1576ebb2eca38e4ae524e1c0aa0f8276d4bc96275af01f3811ec9d184f13a855f4077d3c0c2e1

Download Submit

Analysis

Sharing