Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 15:02

General

  • Target

    2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe

  • Size

    508KB

  • MD5

    a3f87d74088b855b35421cc71e1a8753

  • SHA1

    37d9db5842fb97e52035fc23b5ff8c84eba79af7

  • SHA256

    35b6647fb15ee4fb2ebfcf049f3718130099a1a73cd924f33fc224b046bbc210

  • SHA512

    430c9178f18be3098a99168c1f6c6bb18ae0a332c2882a4416b5700947d4219bbd333058fb7219d2f2560656ed2945e3632946c5e69a0388ad9ed4dea2b7c781

  • SSDEEP

    12288:xv9RGfqZ2Z3NBDYXZ35g6LyCluJCmAgoF:xvifqZ2voZ35g6Lo0ge

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Loads dropped DLL
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe
      "C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe" ins.exe /e 5916625 /u 50d1d9d5-cf90-407c-820a-35e05bc06f2f /v "C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2144

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\n6938\s6938.exe

          Filesize

          284KB

          MD5

          56c3c0bea17637a46ab6d82507923e75

          SHA1

          de31ef91d7568429b34a00b23c3b2be815417e2a

          SHA256

          b5518025103fc369faed527131b8c09df89f58bad97674388b36291b96cbb13a

          SHA512

          fb3c60e5bf4cf73ea6c101d3a811016a4d30bf467da9f412321d856de1d949bec9a11f3adaf1c7fb0238ddd429759a743de927a8181dd14eb2638ee52677d16c

        • memory/2144-14-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp

          Filesize

          4KB

        • memory/2144-15-0x0000000000430000-0x000000000043A000-memory.dmp

          Filesize

          40KB

        • memory/2144-16-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

          Filesize

          9.6MB

        • memory/2144-17-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

          Filesize

          9.6MB

        • memory/2144-18-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

          Filesize

          9.6MB