Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 20:02
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe
Resource
win7-20240508-en
General
-
Target
2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe
-
Size
1.2MB
-
MD5
c84c8644b728946aee5b61f4a59ce67a
-
SHA1
382daffc622001ada245e8676a5de4519ff50bbc
-
SHA256
4374a3ba86424230357d1a11470bd45dc911a9a71941f6c10fcf0e23b91e50f3
-
SHA512
54f7aa0b3679aef090feb91c53e30857ec920a97cfc306471468da5f98f500a005700a8cd7a904822d0b6636cfc81234a31dccf76a48d028dee8263b49c04cfb
-
SSDEEP
24576:+1QfopqgaJXi6kgaINVD4W7CS7YsXDV6YkHzr9jWp049cYzK15yaGOjbvD/+Xbd8:+1wg2XiTcNV7CS7bkY8xWa49cYW5yKDf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2792 tmppack.exe -
Loads dropped DLL 2 IoCs
pid Process 2252 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe 2252 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2252 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe 2252 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2792 2252 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe 28 PID 2252 wrote to memory of 2792 2252 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe 28 PID 2252 wrote to memory of 2792 2252 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe 28 PID 2252 wrote to memory of 2792 2252 2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_c84c8644b728946aee5b61f4a59ce67a_mafia.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\SYKIMDWWYCI\tmppack.exe-y2⤵
- Executes dropped EXE
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5a4a7f8cb2dbefe97901cf657f6ed5ca4
SHA13b297cd14d8844b6da442557b0d82d1f2e888b22
SHA256babacf1ca8865e86ea715364c43b24c1e450a094cab0852dec1b3e26a42978a2
SHA512bf7373cf77597b0aa6619cfe2186f4f2f2672ed8f5985797918477b78450358dd1bfd053976f8953563af2bc706fb6b7125da61c37cc999397ee34f917f96e07
-
Filesize
6KB
MD515bcf709fb25c7a12adc31337f674183
SHA16190814afed856b543e5ef7488cb1f6b4488704a
SHA256397a6d796f96055c95ed6bcf98ce87513304fa69e5c06f5d1abdca1fb0feb588
SHA51249165fd09a5e909f7525cbbcdf866a2f06a30c9213d3051f8963a0ee1f9bab94ecdca09dce3748937b06df8a8069cfcd2315fbf1e46ab5ccff725df5492b986e
-
Filesize
1KB
MD50a396dc280db5266f43e244cb9c7d0f6
SHA18c92c353dd7d5b3fc85e2c684fbced5316ec1930
SHA256c3516b0b9038ce1a8880f92c0f9c4c5a55a6e032657566d06c351248bf37dc8d
SHA51256faab16e15acc6437119caa3af77bd83b07ca9151be3924fdc295c745485f2bdc56f01d23f8a5ff4278fc5560ceacc8ac97572f5c0be548d648c0ca8cbb885d
-
Filesize
716KB
MD5d2f31d4bcb2f93e137eed54a8f4c8874
SHA128bf2717bfda88a3e93906c720065cde847b1487
SHA256473ab84307c6d9cc7907598705dd2704360557c0ba0becf5a090b269a81d087c
SHA512d347d271d053c960f895c31a2396d333f05b2792545f20e60cc5c15440e98a7a7c80813346787a980434c6394c33d00be16c0c20f73a9c0551e45f563c5e5b84