Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 20:02

General

  • Target

    2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe

  • Size

    1.2MB

  • MD5

    c84c8644b728946aee5b61f4a59ce67a

  • SHA1

    382daffc622001ada245e8676a5de4519ff50bbc

  • SHA256

    4374a3ba86424230357d1a11470bd45dc911a9a71941f6c10fcf0e23b91e50f3

  • SHA512

    54f7aa0b3679aef090feb91c53e30857ec920a97cfc306471468da5f98f500a005700a8cd7a904822d0b6636cfc81234a31dccf76a48d028dee8263b49c04cfb

  • SSDEEP

    24576:+1QfopqgaJXi6kgaINVD4W7CS7YsXDV6YkHzr9jWp049cYzK15yaGOjbvD/+Xbd8:+1wg2XiTcNV7CS7bkY8xWa49cYW5yKDf

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\SYKIMDWWYCI\tmppack.exe
      -y
      2⤵
      • Executes dropped EXE
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SYKIMDWWYCI\installer.pak

    Filesize

    1.6MB

    MD5

    a4a7f8cb2dbefe97901cf657f6ed5ca4

    SHA1

    3b297cd14d8844b6da442557b0d82d1f2e888b22

    SHA256

    babacf1ca8865e86ea715364c43b24c1e450a094cab0852dec1b3e26a42978a2

    SHA512

    bf7373cf77597b0aa6619cfe2186f4f2f2672ed8f5985797918477b78450358dd1bfd053976f8953563af2bc706fb6b7125da61c37cc999397ee34f917f96e07

  • C:\Users\Admin\AppData\Local\Temp\b7o014bd\gui\3231.html

    Filesize

    6KB

    MD5

    15bcf709fb25c7a12adc31337f674183

    SHA1

    6190814afed856b543e5ef7488cb1f6b4488704a

    SHA256

    397a6d796f96055c95ed6bcf98ce87513304fa69e5c06f5d1abdca1fb0feb588

    SHA512

    49165fd09a5e909f7525cbbcdf866a2f06a30c9213d3051f8963a0ee1f9bab94ecdca09dce3748937b06df8a8069cfcd2315fbf1e46ab5ccff725df5492b986e

  • C:\Users\Admin\AppData\Local\Temp\b7o014bd\gui\events\cav.xml

    Filesize

    1KB

    MD5

    0a396dc280db5266f43e244cb9c7d0f6

    SHA1

    8c92c353dd7d5b3fc85e2c684fbced5316ec1930

    SHA256

    c3516b0b9038ce1a8880f92c0f9c4c5a55a6e032657566d06c351248bf37dc8d

    SHA512

    56faab16e15acc6437119caa3af77bd83b07ca9151be3924fdc295c745485f2bdc56f01d23f8a5ff4278fc5560ceacc8ac97572f5c0be548d648c0ca8cbb885d

  • \Users\Admin\AppData\Local\Temp\SYKIMDWWYCI\tmppack.exe

    Filesize

    716KB

    MD5

    d2f31d4bcb2f93e137eed54a8f4c8874

    SHA1

    28bf2717bfda88a3e93906c720065cde847b1487

    SHA256

    473ab84307c6d9cc7907598705dd2704360557c0ba0becf5a090b269a81d087c

    SHA512

    d347d271d053c960f895c31a2396d333f05b2792545f20e60cc5c15440e98a7a7c80813346787a980434c6394c33d00be16c0c20f73a9c0551e45f563c5e5b84

  • memory/2252-13-0x00000000023E0000-0x000000000257D000-memory.dmp

    Filesize

    1.6MB

  • memory/2252-83-0x0000000001E90000-0x0000000001E91000-memory.dmp

    Filesize

    4KB

  • memory/2252-132-0x00000000078F0000-0x0000000007910000-memory.dmp

    Filesize

    128KB

  • memory/2252-151-0x0000000001E90000-0x0000000001E91000-memory.dmp

    Filesize

    4KB

  • memory/2252-152-0x00000000078F0000-0x0000000007910000-memory.dmp

    Filesize

    128KB