Malware Analysis Report

2025-01-18 14:34

Sample ID 240613-ec4n5axamj
Target 2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia
SHA256 046ea6152fd862c426abc536c7c559d631e4eb8b40ad29babdcaefc0259243ee
Tags
upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

046ea6152fd862c426abc536c7c559d631e4eb8b40ad29babdcaefc0259243ee

Threat Level: Known bad

The file 2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia was found to be: Known bad.

Malicious Activity Summary

upx

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

ACProtect 1.3x - 1.4x DLL software

Checks BIOS information in registry

Loads dropped DLL

UPX packed file

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:48

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:48

Reported

2024-06-13 03:51

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kingjackpot.co.uk udp
US 104.21.16.35:80 www.kingjackpot.co.uk tcp
US 104.21.16.35:80 www.kingjackpot.co.uk tcp
US 104.21.16.35:443 www.kingjackpot.co.uk tcp
US 104.21.16.35:443 www.kingjackpot.co.uk tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 35.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 104.21.16.35:80 www.kingjackpot.co.uk tcp
US 104.21.16.35:443 www.kingjackpot.co.uk tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\HTM32E7.tmp

MD5 a3bc82ec91d572027540f7a796dd95fc
SHA1 f843bac69c6e1b623a4b7810e691834bd4017810
SHA256 cdf24004acda832634a2ca7c656672a5e9de0a6bdf753bd7bee76e87a24f8c07
SHA512 262fe7617daaa2b253e93e3cb80973de4789c76c7247fa8eb0880a6ee6a92c6e3d2e54bf973d38b6943d2277f7875e8327c27e0a6361a80efa74ba84b422c8eb

memory/5092-5-0x0000000075000000-0x00000000751DC000-memory.dmp

memory/5092-6-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/5092-17-0x0000000075000000-0x00000000751DC000-memory.dmp

memory/5092-18-0x0000000075000000-0x00000000751DC000-memory.dmp

memory/5092-19-0x0000000075000000-0x00000000751DC000-memory.dmp

memory/5092-20-0x0000000075000000-0x00000000751DC000-memory.dmp

memory/5092-21-0x0000000075000000-0x00000000751DC000-memory.dmp

memory/5092-26-0x0000000075000000-0x00000000751DC000-memory.dmp

memory/5092-30-0x0000000075000000-0x00000000751DC000-memory.dmp

memory/5092-31-0x0000000075000000-0x00000000751DC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:48

Reported

2024-06-13 03:51

Platform

win7-20240611-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-13_ce3e1058eb5b8e706f566028961eeb18_mafia.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kingjackpot.co.uk udp
US 172.67.166.18:80 www.kingjackpot.co.uk tcp
US 172.67.166.18:80 www.kingjackpot.co.uk tcp
US 172.67.166.18:443 www.kingjackpot.co.uk tcp
US 172.67.166.18:443 www.kingjackpot.co.uk tcp
US 172.67.166.18:80 www.kingjackpot.co.uk tcp
US 172.67.166.18:443 www.kingjackpot.co.uk tcp

Files

memory/236-3-0x0000000074B10000-0x0000000074CEC000-memory.dmp

memory/236-4-0x0000000000110000-0x0000000000111000-memory.dmp

memory/236-27-0x0000000074B10000-0x0000000074CEC000-memory.dmp

memory/236-28-0x0000000074B10000-0x0000000074CEC000-memory.dmp

memory/236-29-0x0000000074B10000-0x0000000074CEC000-memory.dmp

memory/236-30-0x0000000074B10000-0x0000000074CEC000-memory.dmp

memory/236-31-0x0000000074B10000-0x0000000074CEC000-memory.dmp

memory/236-34-0x0000000074B10000-0x0000000074CEC000-memory.dmp

memory/236-35-0x0000000074B10000-0x0000000074CEC000-memory.dmp

memory/236-40-0x0000000074B10000-0x0000000074CEC000-memory.dmp