Malware Analysis Report

2025-08-06 01:30

Sample ID 240605-seflzaac7v
Target 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia
SHA256 35b6647fb15ee4fb2ebfcf049f3718130099a1a73cd924f33fc224b046bbc210
Tags
evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

35b6647fb15ee4fb2ebfcf049f3718130099a1a73cd924f33fc224b046bbc210

Threat Level: Likely malicious

The file 2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia was found to be: Likely malicious.

Malicious Activity Summary

evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Executes dropped EXE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 15:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 15:02

Reported

2024-06-05 15:05

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe

"C:\Users\Admin\AppData\Local\Temp\n6938\s6938.exe" ins.exe /e 5916625 /u 50d1d9d5-cf90-407c-820a-35e05bc06f2f /v "C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.socdn.com udp
US 76.223.26.96:80 api.socdn.com tcp

Files

\Users\Admin\AppData\Local\Temp\n6938\s6938.exe

MD5 56c3c0bea17637a46ab6d82507923e75
SHA1 de31ef91d7568429b34a00b23c3b2be815417e2a
SHA256 b5518025103fc369faed527131b8c09df89f58bad97674388b36291b96cbb13a
SHA512 fb3c60e5bf4cf73ea6c101d3a811016a4d30bf467da9f412321d856de1d949bec9a11f3adaf1c7fb0238ddd429759a743de927a8181dd14eb2638ee52677d16c

memory/2144-14-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp

memory/2144-15-0x0000000000430000-0x000000000043A000-memory.dmp

memory/2144-16-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2144-17-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2144-18-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 15:02

Reported

2024-06-05 15:05

Platform

win10v2004-20240426-en

Max time kernel

0s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\n6948\s6948.exe

"C:\Users\Admin\AppData\Local\Temp\n6948\s6948.exe" ins.exe /e 5916625 /u 50d1d9d5-cf90-407c-820a-35e05bc06f2f /v "C:\Users\Admin\AppData\Local\Temp\2024-06-05_a3f87d74088b855b35421cc71e1a8753_mafia.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3652 -ip 3652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 4476

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.socdn.com udp
US 13.248.148.254:80 api.socdn.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 254.148.248.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\n6948\s6948.exe

MD5 56c3c0bea17637a46ab6d82507923e75
SHA1 de31ef91d7568429b34a00b23c3b2be815417e2a
SHA256 b5518025103fc369faed527131b8c09df89f58bad97674388b36291b96cbb13a
SHA512 fb3c60e5bf4cf73ea6c101d3a811016a4d30bf467da9f412321d856de1d949bec9a11f3adaf1c7fb0238ddd429759a743de927a8181dd14eb2638ee52677d16c

memory/2468-11-0x00007FFFD9215000-0x00007FFFD9216000-memory.dmp

memory/2468-12-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

memory/2468-14-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

memory/2468-13-0x0000000001580000-0x000000000158A000-memory.dmp

memory/2468-18-0x000000001C770000-0x000000001C80C000-memory.dmp

memory/2468-17-0x000000001C200000-0x000000001C6CE000-memory.dmp

memory/2468-19-0x0000000001560000-0x0000000001568000-memory.dmp

memory/2468-20-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

memory/2468-21-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

memory/2468-22-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

memory/2468-23-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

memory/2468-24-0x000000001DAE0000-0x000000001DB42000-memory.dmp

memory/2468-25-0x00000000201D0000-0x000000002030C000-memory.dmp

memory/2468-26-0x0000000020820000-0x0000000020D2E000-memory.dmp

memory/2468-27-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp

memory/2468-29-0x00007FFFD8F60000-0x00007FFFD9901000-memory.dmp