Analysis Overview
SHA256
4f484642b50929c6dd27f5aa444f55d5db39313e7fcc1e84c300f7f6430164aa
Threat Level: Shows suspicious behavior
The file 2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-02 04:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 04:46
Reported
2024-06-02 04:49
Platform
win7-20240220-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20BA.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20BA.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe | C:\Users\Admin\AppData\Local\Temp\20BA.tmp |
| PID 3040 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe | C:\Users\Admin\AppData\Local\Temp\20BA.tmp |
| PID 3040 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe | C:\Users\Admin\AppData\Local\Temp\20BA.tmp |
| PID 3040 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe | C:\Users\Admin\AppData\Local\Temp\20BA.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe"
C:\Users\Admin\AppData\Local\Temp\20BA.tmp
"C:\Users\Admin\AppData\Local\Temp\20BA.tmp" --pingC:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe 2FB4C8601A6BA7A021DADD293B53FC660C5DE216BF45BE03C14EDACF29180398FB89E9C5609CF940ACB2D170C10B797B91E4907D1BD3DA3EB652F8950D86CDC9
Network
Files
\Users\Admin\AppData\Local\Temp\20BA.tmp
| MD5 | cb23af904217aba68cb3394c33b337fc |
| SHA1 | 91ae21426511303fc08530ebc6364218eb293c0d |
| SHA256 | a15a89ac732fd08bf11740015c9794be0df63e4afacddb3eb66643a92f10d9c7 |
| SHA512 | 6d01d3c4a160133faacb736889fd89ee8905e2ad49ced9e77606f876751a005360be656f3d571007b3263bd16c288de1ce6bb335d43609d06da514e509d20d07 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 04:46
Reported
2024-06-02 04:49
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3BA1.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3BA1.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4080 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe | C:\Users\Admin\AppData\Local\Temp\3BA1.tmp |
| PID 4080 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe | C:\Users\Admin\AppData\Local\Temp\3BA1.tmp |
| PID 4080 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe | C:\Users\Admin\AppData\Local\Temp\3BA1.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe"
C:\Users\Admin\AppData\Local\Temp\3BA1.tmp
"C:\Users\Admin\AppData\Local\Temp\3BA1.tmp" --pingC:\Users\Admin\AppData\Local\Temp\2024-06-02_c604a8b9f061c869b2f1f698e2138d5e_mafia.exe CF8CF241A65843A7E8AD3B4DF433E8442ADEDE13D0D3B4693E34A3FE73EB02F702DBFC58093E245AB0542A4344E4764CA5426D34592B6731F53B2D04594E77AF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3BA1.tmp
| MD5 | 35a3b326884e1b3f33a89510981e4702 |
| SHA1 | 559869754493af9356b3ef66a49d09efb41eb32c |
| SHA256 | 404535292b30bf8009bedcba3d7a1d449a57c2b858e2eaed86074dda1f0d5bb7 |
| SHA512 | 2c067a53d9cd433e81e7a49494c327d423fb14b8e516b414155fa802a1b6edd0b62e26eaf222965173dd0d250d705fa45273b670eadc526525426d42663aa10d |