Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 07:34
Behavioral task
behavioral1
Sample
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe
Resource
win7-20240221-en
General
-
Target
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe
-
Size
1.3MB
-
MD5
c31ed1c9d387878c21458bdef6d3260c
-
SHA1
f4b34b042a130701c96409c9a2057c37f195424e
-
SHA256
c0aabb3c79a97eabff16d4e215e403f80fadee5d63a54dd7433f0f5125bca4ad
-
SHA512
48419ae59c8b1705656f63886d509fc34081ff44998ffe5336f9b6e76b125c42528b8762cf9d75d09359768f3c1a9c2418478d35fe5c94d8b904e2ae86d5b256
-
SSDEEP
24576:R1UGLrmwPVsjEkazzCmRpslRI4/iK6LfGJErGCkfp0sUPYud9mj1uRyRsGyz:Ru2jkaqmRpwOOiMeGPfp0sUPYu7UQq
Malware Config
Signatures
-
Detect Blackmoon payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3028-3-0x00000000010E0000-0x0000000001251000-memory.dmp family_blackmoon behavioral1/memory/3028-2-0x00000000010E0000-0x0000000001251000-memory.dmp family_blackmoon behavioral1/memory/3028-12-0x00000000010E0000-0x0000000001251000-memory.dmp family_blackmoon behavioral1/memory/3028-19-0x00000000010E0000-0x0000000001251000-memory.dmp family_blackmoon behavioral1/memory/3028-21-0x00000000010E0000-0x0000000001251000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral1/memory/3028-3-0x00000000010E0000-0x0000000001251000-memory.dmp UPX behavioral1/memory/3028-2-0x00000000010E0000-0x0000000001251000-memory.dmp UPX behavioral1/memory/3028-1-0x0000000010000000-0x0000000010014000-memory.dmp UPX behavioral1/memory/3028-11-0x00000000009F0000-0x0000000000A08000-memory.dmp UPX behavioral1/memory/3028-12-0x00000000010E0000-0x0000000001251000-memory.dmp UPX behavioral1/memory/3028-19-0x00000000010E0000-0x0000000001251000-memory.dmp UPX behavioral1/memory/3028-21-0x00000000010E0000-0x0000000001251000-memory.dmp UPX -
Drops startup file 1 IoCs
Processes:
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe -
Processes:
resource yara_rule behavioral1/memory/3028-1-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral1/memory/3028-11-0x00000000009F0000-0x0000000000A08000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exepid process 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exedescription pid process Token: SeDebugPrivilege 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeLockMemoryPrivilege 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeCreateGlobalPrivilege 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeBackupPrivilege 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeRestorePrivilege 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeShutdownPrivilege 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeCreateTokenPrivilege 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeTakeOwnershipPrivilege 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeDebugPrivilege 3028 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5c5cfc3a56aee6a637fbcc18b04cd86a3
SHA1f87991cffd3b89938213b49fd1874b91201e63a7
SHA25621b13b7da295b4c9af94710b0981982224afc6d3c636134e1f051bf07801edb3
SHA512662ec55b39880874cf06fbcdfb87f21cfb8d90112449bde504af9b05e4eae192b660be5b74e5962790942f30010786d24258ed922435774ba016473c64145396