6873f31cc5e0784ea50a2b0c514238a465d7840b067785ece602516fbd6c2eb5

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_3596fb724ebbcd13bc440f10f18adce0_mafia.exe
Size

6.5MB
MD5

3596fb724ebbcd13bc440f10f18adce0
SHA1

e3fc559935f2ca1e3e98631ac673ea7f104fd365
SHA256

6873f31cc5e0784ea50a2b0c514238a465d7840b067785ece602516fbd6c2eb5
SHA512

2fdf0ca3de4aa522efae56a1832f61b7b536743a67f0e6cae6a062a2698ee1e610435896182a5a328b834a80c4e12e36bc568deb4def3a36b022a1ade705e5cf
SSDEEP

98304:5o+rbC2qhcW7I9zaa0+moiClUlNapwzSUp23gBlyOPLKu6x/6ZGUClfP:uR7IZ0OIapwmJvG0x/4GR3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
232	snow64.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	snow64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	snow64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	snow64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	snow64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	snow64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	snow64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 232	1180	2024-06-15_3596fb724ebbcd13bc440f10f18adce0_mafia.exe	81
PID 1180 wrote to memory of 232	1180	2024-06-15_3596fb724ebbcd13bc440f10f18adce0_mafia.exe	81

C:\Users\Admin\AppData\Local\Temp\2024-06-15_3596fb724ebbcd13bc440f10f18adce0_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_3596fb724ebbcd13bc440f10f18adce0_mafia.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Snow Software\SSA\snow64.exe
  "C:\Users\Admin\AppData\Local\Snow Software\SSA\snow64.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Snow Software\SSA\client.log

Filesize
688B

MD5
69dca3c7ae9acdf23ce55912a394cf5f

SHA1
bc981c6052624c14ee962e9e3d312c6a7ee6dcf1

SHA256
8a485ebf10165dad26c0d16eb08c041bf367d85072b21dadda8bf10c31cf5cbf

SHA512
e592fdaa2ef13da9f3ec349f2e051d5cce52b76844b81796b9c6d6fdef3c626fbdc90ffddc75c1cb1711e9d3bc6467077ea04b6f202a841d097869d25795d2c2

Download Submit
C:\Users\Admin\AppData\Local\Snow Software\SSA\config

Filesize
1KB

MD5
d0da5b674b4368ac39ca7215c959020d

SHA1
195fb9233942b232cfbc921bfa7a513931a2e504

SHA256
1b9083bb44fc18105ab5e8a741e8596036a5ed3c1f154d97a8633e1963ab9265

SHA512
45f9c9b4485163b20f7dbc57afbec38e6859eef9e5af3aad7af2066b362d88225b9d11ab4e9c00218db95c8956ed19092de72570ba5b6fd9e0bbd2e47efb3c4c

Download Submit
C:\Users\Admin\AppData\Local\Snow Software\SSA\snow64.exe

Filesize
3.6MB

MD5
bdd233e038fb91ff44619ac7cb1b1755

SHA1
fe15c2bb2c308ba9f011c4df9f4df0e86e459494

SHA256
06f2fe05d09590a9b599df3f92d2d2448a73968ab5bc6d2afee16422b130ed1c

SHA512
eaf3ffa9f3e0dc6c316f076bdbf0b06867361b673359b60fd69d37c829636e1d3b2a25fbe6d16cb8af1f8f41fe6781fa9ec1eccfe9391e0471424d07a21887fe

Download Submit