Analysis

  • max time kernel
    0s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 15:02

General

  • Target

    2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe

  • Size

    508KB

  • MD5

    a3f87d74088b855b35421cc71e1a8753

  • SHA1

    37d9db5842fb97e52035fc23b5ff8c84eba79af7

  • SHA256

    35b6647fb15ee4fb2ebfcf049f3718130099a1a73cd924f33fc224b046bbc210

  • SHA512

    430c9178f18be3098a99168c1f6c6bb18ae0a332c2882a4416b5700947d4219bbd333058fb7219d2f2560656ed2945e3632946c5e69a0388ad9ed4dea2b7c781

  • SSDEEP

    12288:xv9RGfqZ2Z3NBDYXZ35g6LyCluJCmAgoF:xvifqZ2voZ35g6Lo0ge

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:3652
    • C:\Users\Admin\AppData\Local\Temp\n6948\s6948.exe
      "C:\Users\Admin\AppData\Local\Temp\n6948\s6948.exe" ins.exe /e 5916625 /u 50d1d9d5-cf90-407c-820a-35e05bc06f2f /v "C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"
      2⤵
        PID:2468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 4476
        2⤵
        • Program crash
        PID:944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3652 -ip 3652
      1⤵
        PID:2608

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\n6948\s6948.exe

              Filesize

              284KB

              MD5

              56c3c0bea17637a46ab6d82507923e75

              SHA1

              de31ef91d7568429b34a00b23c3b2be815417e2a

              SHA256

              b5518025103fc369faed527131b8c09df89f58bad97674388b36291b96cbb13a

              SHA512

              fb3c60e5bf4cf73ea6c101d3a811016a4d30bf467da9f412321d856de1d949bec9a11f3adaf1c7fb0238ddd429759a743de927a8181dd14eb2638ee52677d16c

            • memory/2468-11-0x00007FFFD9215000-0x00007FFFD9216000-memory.dmp

              Filesize

              4KB

            • memory/2468-12-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

              Filesize

              9.6MB

            • memory/2468-14-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

              Filesize

              9.6MB

            • memory/2468-13-0x0000000001580000-0x000000000158A000-memory.dmp

              Filesize

              40KB

            • memory/2468-18-0x000000001C770000-0x000000001C80C000-memory.dmp

              Filesize

              624KB

            • memory/2468-17-0x000000001C200000-0x000000001C6CE000-memory.dmp

              Filesize

              4.8MB

            • memory/2468-19-0x0000000001560000-0x0000000001568000-memory.dmp

              Filesize

              32KB

            • memory/2468-20-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

              Filesize

              9.6MB

            • memory/2468-21-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

              Filesize

              9.6MB

            • memory/2468-22-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

              Filesize

              9.6MB

            • memory/2468-23-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

              Filesize

              9.6MB

            • memory/2468-24-0x000000001DAE0000-0x000000001DB42000-memory.dmp

              Filesize

              392KB

            • memory/2468-25-0x00000000201D0000-0x000000002030C000-memory.dmp

              Filesize

              1.2MB

            • memory/2468-26-0x0000000020820000-0x0000000020D2E000-memory.dmp

              Filesize

              5.1MB

            • memory/2468-27-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

              Filesize

              9.6MB

            • memory/2468-29-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

              Filesize

              9.6MB