Overview

overview

8

Static

static

1

2024-06-30...ia.exe

windows7-x64

8

2024-06-30...ia.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    132s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2024, 05:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-30_05bdb8478c008bd36523d9d503578e9a_mafia.exe

  • Size

    906KB

  • MD5

    05bdb8478c008bd36523d9d503578e9a

  • SHA1

    e3e6067bc98a0b552def6c29b00212eedec66906

  • SHA256

    d7a10e595e2a57efe9e77aa1110436f29d9890335a8d25b0b0a34dd0f827a289

  • SHA512

    18fdbeaeb24c465b2807dac3f20e9264ba05d01abcebcfabb17ed95b0623a471074541eb28520c66a2886d65e13070a1b4a5987d9bb280f0fd73180966c266bf

  • SSDEEP

    12288:xUHzKufgk0IpzpXxsPsM+80/9OCOaVLR7g1xGkgBaFSkYu8DU0OYhLu0O49gY4B:SHVfSIpzpBsGACO0LRs1kk6i6uKVOu4B

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-30_05bdb8478c008bd36523d9d503578e9a_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-30_05bdb8478c008bd36523d9d503578e9a_mafia.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
      C:\Users\Admin\AppData\Local\Temp\\minidownload.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:3020
    • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
      "C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=https%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3D5M778mNuk-IR5IpbEw6j9YpS1Wc4Ved3WXa85rh1XgyheSu4KSc873XX-0eLlV_4F8i1TnLGSv3WCEhQ8gp541fzIsbQqzhWSYgtsYpPEdeVaQV36m8XUwDnxvyjCrmDYWCpkDN0CEiS5mxV4Nz15XXmmtomLEANRjXrf4w8V2BQI45GGymLW2BerAtBedNjguDD3zUoyh0QPeaLH3gS2w..%26pcid%3D-8962761102861935100%26fr%3Dxiazai%26source%3Dtencent%26filename%3DDwg2pdf_Setup_V3.3.5.zip&iconurl=http%3A%2F%2Fpc3.gtimg.com%2Fsoftmgr%2Flogo%2F48%2Fpdfcreator_48x48.png&softname=DWG%E6%89%B9%E8%BD%ACPDF%E5%B7%A5%E5%85%B7&softsize=32.12MB
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe
        "C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe" "dump202406300545"
        3⤵
        • Executes dropped EXE
        PID:648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe
    Filesize

    795KB

    MD5

    1a21e9b1435c06e562a1c6a2e92a82d6

    SHA1

    60457394473cb75fca7d3fe5069231e82c84a4e6

    SHA256

    35e9bfc9e668511572a1e41f9421b5bd931e1b66a0562789453690f306a9af8e

    SHA512

    d4336ddc4969c19078c0b06ae799a9062c571de12f471cdc6fcc8f9d27e3f8aebe75a0de47eaf7f719c3a58f69d40f7c28a964ab88cd9ef2b566c73e0e9f3eff

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe
    Filesize

    111KB

    MD5

    ba7121a86dbffafc97e1b8c11c17e199

    SHA1

    922e584be46621e0ab57d3bb47b7c5dee8230ea8

    SHA256

    0bc616a788f782a37b8fb0134ffabdd8a2988205a125b2f400c3deb43e2a8971

    SHA512

    22641abfa34f8ed5c24375b221b6cae935fadffb4b1cf9f8c452658538dd4af459ec7e6a95d05fb7b3aa0fcb4bd195fa18d6fe787ece282fa5c5a8187da76197

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\config.ini
    Filesize

    116B

    MD5

    ffa1443199298e2c4ff1122f1ae14b05

    SHA1

    96175a64c1f8ba142aa057e8f76e13467ecefb82

    SHA256

    2d21ddb94831d5345bbfbe52ecd342067cf49c6eaf8c78057e1901b6c69c6574

    SHA512

    3955846ed694c43d2d9857168e1c3fee9714ecea70c0af04b1db6d7be5b4805b92730d74bc4a74ed5464c47e4af558b8d040d0efc8ec276fcb8c50c346fe61de

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\css\downloader.css
    Filesize

    7KB

    MD5

    0079cdb145c388c3e4c5e2235ac97bce

    SHA1

    7a8fee29992183dd572c52a1f6ca24219f4d8cba

    SHA256

    f4890eb5df2bb1b2921c0e561388780b4e2871998ca5aa7f4ec8bbf6ea1a715c

    SHA512

    7387d097152a49f8c57db203d89f64f6d2f905b60f69fa90d26ee3ebcab6428865e745fca63600c724c296db85d299502b4133cacd4b7dbcd4653712a82caa46

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\download.html
    Filesize

    7KB

    MD5

    382c18d88309c186f501dc3d31876461

    SHA1

    1c602b521deec4e2826e9280fed7e586351282c4

    SHA256

    67293d69f293e3347dd6eaabf19b84d3bba0fbc00fcc19d79be354da3f105687

    SHA512

    f82ba3616734551eef1239203cc09531280f1c9118edc1f1218c18247c13dc3455e7d783f440a919a1df47922d33ed8526deabd979fe4d12e6cef2a5707c045d

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gif
    Filesize

    657B

    MD5

    0e0ac8352cd69f396f271fa32f3ab554

    SHA1

    ed6d306a5033707f45477df3318a53d15b47cf43

    SHA256

    c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c

    SHA512

    5d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\js\actions.js
    Filesize

    8KB

    MD5

    3b4a5f925a08bd18b636880b8d557077

    SHA1

    73ed8c3697681e7999bae4fdcc62867b263182ce

    SHA256

    48b8718ba8de855d6c937b23eb7ccc4f5482e6619de9261324c12a48ae6769dc

    SHA512

    aa5ffd3040a6eb964ed7c70d138e3201989f78551610e22585077fa86bff58740500d6309c339a2dded56481d04f7416ca97b22548fde4661f7da39c9600644b

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\js\jquery-1.11.2.min.js
    Filesize

    93KB

    MD5

    5790ead7ad3ba27397aedfa3d263b867

    SHA1

    8130544c215fe5d1ec081d83461bf4a711e74882

    SHA256

    2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

    SHA512

    781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a

    Download Submit

  • C:\Program Files (x86)\SogouDownLoad\html\js\swfobject.js
    Filesize

    10KB

    MD5

    631f38cfac458788af482eba736e5ac3

    SHA1

    b1d09def39ec74eff2c9e0aafe0a7c12e7650150

    SHA256

    13e6cf03cdd65a8174cce7b0cb40c9821d2aff04a79c3374e8664fb0abb5694d

    SHA512

    3ae47c895cd586b1dca8bdf65c58bc896b27837881cc42bb7b3d55c9a71ea9e857939a69c5146b445b64714996393d1ec9c0d95b18d18fd5cb48f02bb8a53f42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CRASH.DMP
    Filesize

    108KB

    MD5

    1f3f7234bfefa7004556a38cd3ec34a4

    SHA1

    6bedae65f2c55662a48a4764980751f68120dc9e

    SHA256

    71315605ec839cd1fb4d5e08cab65e2aa9c273c4ac6b78d6c431f68375f36608

    SHA512

    f8df4c23034ab3d6807f74d4d38e72b18029a23b4a3c5698aea8a3fda83646c34811acc4f5fef81ee498f5f4fee86d524223b790f2d6c24dbbdf9deb7e8b1885

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ERRORLOG.TXT
    Filesize

    34KB

    MD5

    bb03d783f904094fd8aac40774b536ea

    SHA1

    d2faa59a9f2fe41fec5a074909813043abe2d5a6

    SHA256

    492b225a5ab143a010946a316535cbcb4d37cf1573873b4b21460271135349e2

    SHA512

    1254304836fd1f5a81e0c61bd40aaac0b01bb0c3c8d965c3f4f0e87649ac41c1ed57a58d0ba86f76db19a07c6db371c4ac9e32d7c8661a89fff25a70548d7f8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\minidownload.exe
    Filesize

    499KB

    MD5

    92611a7ef872df59c53eab1e76855a9d

    SHA1

    41351edd9c7a5587a2ba7793131205a8bc3896e8

    SHA256

    b655815e0b129134ccebd00f44eb87f85e72eb37a1879509e90f539dda4600cc

    SHA512

    1b07e6ef576751ee20e4d2c43031aa4d668b8dd3f58dd403db56fb9cce39c4c8646cb2c0268596c3df67f7fbbddefc017e5205f8f27612fb269caffa52536f0b

    Download Submit

  • memory/3972-45-0x0000000002C60000-0x0000000002C61000-memory.dmp

    Filesize

    4KB

    Download