Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 07:34
Behavioral task
behavioral1
Sample
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe
Resource
win7-20240221-en
9 signatures
150 seconds
General
-
Target
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe
-
Size
1.3MB
-
MD5
c31ed1c9d387878c21458bdef6d3260c
-
SHA1
f4b34b042a130701c96409c9a2057c37f195424e
-
SHA256
c0aabb3c79a97eabff16d4e215e403f80fadee5d63a54dd7433f0f5125bca4ad
-
SHA512
48419ae59c8b1705656f63886d509fc34081ff44998ffe5336f9b6e76b125c42528b8762cf9d75d09359768f3c1a9c2418478d35fe5c94d8b904e2ae86d5b256
-
SSDEEP
24576:R1UGLrmwPVsjEkazzCmRpslRI4/iK6LfGJErGCkfp0sUPYud9mj1uRyRsGyz:Ru2jkaqmRpwOOiMeGPfp0sUPYu7UQq
Malware Config
Signatures
-
Detect Blackmoon payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-4-0x0000000000E80000-0x0000000000FF1000-memory.dmp family_blackmoon behavioral2/memory/5000-3-0x0000000000E80000-0x0000000000FF1000-memory.dmp family_blackmoon behavioral2/memory/5000-14-0x0000000000E80000-0x0000000000FF1000-memory.dmp family_blackmoon behavioral2/memory/5000-15-0x0000000000E80000-0x0000000000FF1000-memory.dmp family_blackmoon behavioral2/memory/5000-16-0x0000000000E80000-0x0000000000FF1000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-4-0x0000000000E80000-0x0000000000FF1000-memory.dmp UPX behavioral2/memory/5000-3-0x0000000000E80000-0x0000000000FF1000-memory.dmp UPX behavioral2/memory/5000-2-0x0000000010000000-0x0000000010014000-memory.dmp UPX behavioral2/memory/5000-12-0x0000000003670000-0x0000000003688000-memory.dmp UPX behavioral2/memory/5000-14-0x0000000000E80000-0x0000000000FF1000-memory.dmp UPX behavioral2/memory/5000-15-0x0000000000E80000-0x0000000000FF1000-memory.dmp UPX behavioral2/memory/5000-16-0x0000000000E80000-0x0000000000FF1000-memory.dmp UPX -
Drops startup file 1 IoCs
Processes:
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPS.lnk 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe -
Processes:
resource yara_rule behavioral2/memory/5000-2-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/5000-12-0x0000000003670000-0x0000000003688000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exepid process 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exedescription pid process Token: SeDebugPrivilege 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeLockMemoryPrivilege 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeCreateGlobalPrivilege 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeBackupPrivilege 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeRestorePrivilege 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeShutdownPrivilege 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeCreateTokenPrivilege 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeTakeOwnershipPrivilege 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe Token: SeDebugPrivilege 5000 2024-06-21_c31ed1c9d387878c21458bdef6d3260c_mafia.exe