46e81dc1293d449693914032f7c56641a353052e8b99a6008baea984b3fe1e16

Analysis

max time kernel
120s
max time network
151s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 06:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe
Size

3.3MB
MD5

ac91f406692c08fe583d8c8f0cd522ee
SHA1

6c9a6dcb00e691a5577b732117584cf551ccc077
SHA256

46e81dc1293d449693914032f7c56641a353052e8b99a6008baea984b3fe1e16
SHA512

096b339e2dfeef455b9792cc8ee51154631d2560d6a3d80e10c33e4616b520c9e77c0d3a7d5ff1cb58d51fa2e1cfc873028a03e2862d8c214dcfe7061087f192
SSDEEP

98304:R1FnW60l/q4y1q52s1fiGRi/MQ/pMNrztoj9ghi1RebMIg9Cbk/V85JD:HFbq2mUMNrztojDIg9Cbk/V85JD

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2700	FFXIV_Boot.exe
1300	FFXIV_Boot.exe

Loads dropped DLL 8 IoCs

pid	Process
2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe
2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe
2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe
2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe
2700	FFXIV_Boot.exe
2700	FFXIV_Boot.exe
2700	FFXIV_Boot.exe
1300	FFXIV_Boot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe
2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe
2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe
2700	FFXIV_Boot.exe
2700	FFXIV_Boot.exe
1300	FFXIV_Boot.exe
1300	FFXIV_Boot.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2700	2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe	29
PID 2360 wrote to memory of 2700	2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe	29
PID 2360 wrote to memory of 2700	2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe	29
PID 2360 wrote to memory of 2700	2360	2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe	29
PID 2700 wrote to memory of 1300	2700	FFXIV_Boot.exe	31
PID 2700 wrote to memory of 1300	2700	FFXIV_Boot.exe	31
PID 2700 wrote to memory of 1300	2700	FFXIV_Boot.exe	31
PID 2700 wrote to memory of 1300	2700	FFXIV_Boot.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_ac91f406692c08fe583d8c8f0cd522ee_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\FFXIV_Boot.exe
  "C:\Users\Admin\AppData\Local\Temp\FFXIV_Boot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\FFXIV_Boot.exe
    "C:\Users\Admin\AppData\Local\Temp\FFXIV_Boot.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Boot.ver

Filesize
66B

MD5
7d65feb5bdc0e97cf3071694f0143221

SHA1
5bd0e2aa6fd59418284624a92fcf3f7efedb8882

SHA256
98575d3859275c8081909725656ca32b3cdef744fc1096b810e4c6eca51a09ce

SHA512
af50ea7baff6a9afa922b03fc4fef836f70ba543f7e658d101e693108edafac27eef652558ee6929103c2e9a67e433be3af1f7b74f2dbec7a9ccf5aa099d9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DumpSender.exe

Filesize
1.0MB

MD5
09ebd891689b78bc5491598f5bbf3a8e

SHA1
d26d7857d93a7cdf9c22fb8a0d2857bcf057ad64

SHA256
3439e5f65bbda6dcf94370f0fc0fa7f6bb77629d497dd58e4631dc2eb4287182

SHA512
9816a8cfbfcdf6b5f39c8c64175c5382862324b8dfcc43984878c46cb36accc2950b9c4bdae9771877fb71c64f50b0d5f32c8853276307291b18d99ac132816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFXIV_Boot.exe

Filesize
4.2MB

MD5
25abf8968762507b40c17487ce51d07c

SHA1
2169a6d1b0c7f371c0b380ef2336f7c54e7ee5e6

SHA256
8ac6e6d17ca4188b287108c23dbfacd7ed814988d192ba6ab509ede237366437

SHA512
822ed7edf5b6affa03f9b219cb8df279f8361c115e2890f668c4e906d8e6f1ee4a5f8d3f07ae9d06f2c8675607f5dd78f2de8fa556a39e027fc01286ef56479b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFXIV_Launcher.exe

Filesize
3.7MB

MD5
a807189f60f045305493b7f68c614dfe

SHA1
ebe59ad73d2b1d774741e98099608738e599b395

SHA256
9d2553667ed2eca3fceb08dc078cba68aa57203e1560e2bbf3d875a9ee221688

SHA512
ba40b93b3a8c2efe8b5367d312b0ed7894efa11cfba04387557b0ed3d926263ee983b5f16926039f6371d4a725f80a73513952dce8aa6c90f6cda10e742b042c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffxivconfig.exe

Filesize
292KB

MD5
778d109966056f37d9e1c11f778656b2

SHA1
9336fe054ba9b1c3ede68a7d2801d3bea18da5c5

SHA256
ac51d4c94b63acfff8d764c8183e18d390f5d74c528053cfabc55b2ff1794f8b

SHA512
c69819ce1a66db965e307a622cbb5dcd74575e0b1e60d56883467fd4374902563e369708af870fc4320351d5f6481d7e9f28e6de3929ae9d785f8d2659bc5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\log\boot_20240611.log

Filesize
12KB

MD5
bd0e07e339c9703e4f03a0b71f6a40b7

SHA1
999b9c61cf62bda90e369c883f52eff02aae5981

SHA256
b0a05922469da4efe134ace9f70d5ae90e1cec93c51e5f90aaa30ec47edcf6a6

SHA512
50da5a48cb446238a264d8999cd0bc1cb747eb23fb9c617b5c0c0beec614eb34ffc8f69d719c8909fdbc94c23b74812274536b74275406d1e4063f29d77e804e

Download Submit
C:\Users\Admin\AppData\Local\Temp\log\boot_20240611.log

Filesize
11KB

MD5
3e28c7055c038158bc381ef982117846

SHA1
84d6d73958297796c2ebaaea44619e9e02c2a0a3

SHA256
183a2f0b10bd576b1acae9d7ae3de5e2a8fb470a2c7b33c0087fb668f2172684

SHA512
4446ca270c70cc82f6784d3d2976ead373ecbcd2206a040d47376a3af0c523a330392e2a769a154bd29ab72039446b24876ebdd17a36b435ee679bdfc41853cb

Download Submit
\Users\Admin\AppData\Local\Temp\FFXIV_Boot.exe

Filesize
4.3MB

MD5
96ff6e39f4050e0b6d017ee7135d4b18

SHA1
c2fc2be63571b8737ef47631d3e343d3cd3e793c

SHA256
58935c21a1e681bb4bc4569ec6dd22110c60d75b4bbbb3afb9a3b54d656a433f

SHA512
424aec0904865c480dae281129668b80ca8525136aa687b63c8b757316748dc568603e36851f4d70c0e921b8ef33a50eeed5f0bcd7217549a8e474914a11c346

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.0MB

MD5
f2b8855b667fa274853cd21332eab89e

SHA1
fd7a15ab082aabfd5d2e936041ee16cb4dbc0574

SHA256
dec81d213bf9c0a52896e06661783384d37da8e64dcf0c6e470b7b1f41d6a58b

SHA512
9dd23cf7d3c2d1c87377ce81b68cfa4ff4bcd343625b96c5bc530595f0f48ba738bdc4c96bb602fee8cb33fd24a79c31113465b88d4011c72718b5d90515d861

Download Submit
memory/2360-20-0x0000000000120000-0x0000000000640000-memory.dmp

Filesize
5.1MB

Download
memory/2360-38-0x0000000000120000-0x0000000000640000-memory.dmp

Filesize
5.1MB

Download
memory/2700-113-0x0000000000860000-0x0000000000C98000-memory.dmp

Filesize
4.2MB

Download
memory/2700-126-0x0000000000860000-0x0000000000C98000-memory.dmp

Filesize
4.2MB

Download