Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 04:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe
-
Size
334KB
-
MD5
23780e7dcdc15c400a6e5abb0b9abc16
-
SHA1
806916f75bf5d614f021b13c5d584330fade6e1d
-
SHA256
279c6daadf0407bcd578a62591d6abf21ff5eeecf3942e2988c350dac18e37bb
-
SHA512
35064f00b6391ca32b9030d8c453cf6d86e82d7a77cf4c1118c51a2affc920836e53751c411dbb0a46fe4a07ed04b6af23ea65b857af4689a5f93303fd5d2f7e
-
SSDEEP
6144:7+19vLTOFX4Ses9vJT0tGBmlYHP7a0umy6uibfL0lAh2:61keqgGBVHP7a0umbuCQlAh2
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 972 q84afvwyspm7gfakgumo.exe 3152 kkbljew.exe 4036 xsfmblwyy.exe 4864 kkbljew.exe -
Loads dropped DLL 5 IoCs
pid Process 2208 2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe 2208 2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe 3152 kkbljew.exe 3152 kkbljew.exe 972 q84afvwyspm7gfakgumo.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\hhtnjyjhmvvp\ozjekxpgtoy kkbljew.exe File created C:\Windows\hhtnjyjhmvvp\ozjekxpgtoy xsfmblwyy.exe File created C:\Windows\hhtnjyjhmvvp\ozjekxpgtoy kkbljew.exe File created C:\Windows\hhtnjyjhmvvp\ozjekxpgtoy 2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe File created C:\Windows\hhtnjyjhmvvp\ozjekxpgtoy q84afvwyspm7gfakgumo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3152 kkbljew.exe 3152 kkbljew.exe 3152 kkbljew.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe 4036 xsfmblwyy.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2208 wrote to memory of 972 2208 2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe 28 PID 2208 wrote to memory of 972 2208 2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe 28 PID 2208 wrote to memory of 972 2208 2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe 28 PID 2208 wrote to memory of 972 2208 2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe 28 PID 3152 wrote to memory of 4036 3152 kkbljew.exe 30 PID 3152 wrote to memory of 4036 3152 kkbljew.exe 30 PID 3152 wrote to memory of 4036 3152 kkbljew.exe 30 PID 3152 wrote to memory of 4036 3152 kkbljew.exe 30 PID 972 wrote to memory of 4864 972 q84afvwyspm7gfakgumo.exe 31 PID 972 wrote to memory of 4864 972 q84afvwyspm7gfakgumo.exe 31 PID 972 wrote to memory of 4864 972 q84afvwyspm7gfakgumo.exe 31 PID 972 wrote to memory of 4864 972 q84afvwyspm7gfakgumo.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-24_23780e7dcdc15c400a6e5abb0b9abc16_mafia.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\hhtnjyjhmvvp\q84afvwyspm7gfakgumo.exe"C:\hhtnjyjhmvvp\q84afvwyspm7gfakgumo.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:972 -
C:\hhtnjyjhmvvp\kkbljew.exe"C:\hhtnjyjhmvvp\kkbljew.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4864
-
-
-
C:\hhtnjyjhmvvp\kkbljew.exeC:\hhtnjyjhmvvp\kkbljew.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\hhtnjyjhmvvp\xsfmblwyy.exevbbsvwzoyebq "c:\hhtnjyjhmvvp\kkbljew.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD575e1b773cd324face8d0e646dbe9846a
SHA13fc453cdbfd4640297833a74411bfaaec2a3c114
SHA256c0fc4113d6b3a31c06a91453e582cd2fc5f8d67714e8a0abc52d3bbec2521da0
SHA512b965e0928ec70a33638509a536e8349116161d0cc4e16495d0ba33d27ff22666a49c36ebca98fa1fac006671b0e7377654b2fd3e03ed0505834ca61942d0ad62
-
Filesize
9B
MD5a9317f8ac538cb2add3d8adeb241e46f
SHA10a57b5e48abd2fa5c039720922e5644d0360220c
SHA256a5a2528a3e8f42b09615f90f03d8ac1d866fe6d53c10616e35f9380cf76d71a7
SHA5122d9ffefc1a0c943830eb5431cc9e54bcb265e1a9fcdce113184ad031efb13189e32546f00dda8275aee6adc1a5b5a4211d4d3ee563fc61934ea2d91cb5b22b9e
-
Filesize
334KB
MD523780e7dcdc15c400a6e5abb0b9abc16
SHA1806916f75bf5d614f021b13c5d584330fade6e1d
SHA256279c6daadf0407bcd578a62591d6abf21ff5eeecf3942e2988c350dac18e37bb
SHA51235064f00b6391ca32b9030d8c453cf6d86e82d7a77cf4c1118c51a2affc920836e53751c411dbb0a46fe4a07ed04b6af23ea65b857af4689a5f93303fd5d2f7e