Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 15:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe
-
Size
508KB
-
MD5
a3f87d74088b855b35421cc71e1a8753
-
SHA1
37d9db5842fb97e52035fc23b5ff8c84eba79af7
-
SHA256
35b6647fb15ee4fb2ebfcf049f3718130099a1a73cd924f33fc224b046bbc210
-
SHA512
430c9178f18be3098a99168c1f6c6bb18ae0a332c2882a4416b5700947d4219bbd333058fb7219d2f2560656ed2945e3632946c5e69a0388ad9ed4dea2b7c781
-
SSDEEP
12288:xv9RGfqZ2Z3NBDYXZ35g6LyCluJCmAgoF:xvifqZ2voZ35g6Lo0ge
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe -
Executes dropped EXE 1 IoCs
pid Process 2144 s6938.exe -
Loads dropped DLL 4 IoCs
pid Process 2436 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe 2436 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe 2436 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe 2436 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2436 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe 2144 s6938.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2144 s6938.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2144 s6938.exe 2144 s6938.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2144 2436 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe 28 PID 2436 wrote to memory of 2144 2436 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe 28 PID 2436 wrote to memory of 2144 2436 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe 28 PID 2436 wrote to memory of 2144 2436 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe"C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe" ins.exe /e 5916625 /u 50d1d9d5-cf90-407c-820a-35e05bc06f2f /v "C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD556c3c0bea17637a46ab6d82507923e75
SHA1de31ef91d7568429b34a00b23c3b2be815417e2a
SHA256b5518025103fc369faed527131b8c09df89f58bad97674388b36291b96cbb13a
SHA512fb3c60e5bf4cf73ea6c101d3a811016a4d30bf467da9f412321d856de1d949bec9a11f3adaf1c7fb0238ddd429759a743de927a8181dd14eb2638ee52677d16c