d09cc8129c7f4124df9cd407e4142552f7682d235d58c44ec1420572b92f6cac

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-02_90afd8a316c41007a164ccdc12796195_mafia.exe
Size

8.1MB
MD5

90afd8a316c41007a164ccdc12796195
SHA1

ec98e27327dfb11046e56c3ecb0e0746c70f82d8
SHA256

d09cc8129c7f4124df9cd407e4142552f7682d235d58c44ec1420572b92f6cac
SHA512

d17b186ab903d6b9f93776f3059c1701d712a9a6c1c1c14d27b8e75af54abca6b7bd4a70e874055e4fa824b65a6c64be0a6b431b91e12ba6b4f79ba45b49fd7c
SSDEEP

196608:0oG/Dv2I6riWumX7D/SEJSwCcalnY7du5xhcU7:0oGLSriWzXPS4uBY7duzWU7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	snow64.exe

Loads dropped DLL 1 IoCs

pid	Process
2728	2024-08-02_90afd8a316c41007a164ccdc12796195_mafia.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-02_90afd8a316c41007a164ccdc12796195_mafia.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	snow64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	snow64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	snow64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	snow64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	snow64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	snow64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2816	2728	2024-08-02_90afd8a316c41007a164ccdc12796195_mafia.exe	30
PID 2728 wrote to memory of 2816	2728	2024-08-02_90afd8a316c41007a164ccdc12796195_mafia.exe	30
PID 2728 wrote to memory of 2816	2728	2024-08-02_90afd8a316c41007a164ccdc12796195_mafia.exe	30
PID 2728 wrote to memory of 2816	2728	2024-08-02_90afd8a316c41007a164ccdc12796195_mafia.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-08-02_90afd8a316c41007a164ccdc12796195_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-02_90afd8a316c41007a164ccdc12796195_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Snow Software\SSA\snow64.exe
  "C:\Users\Admin\AppData\Local\Snow Software\SSA\snow64.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Snow Software\SSA\config

Filesize
1KB

MD5
732815379f316fe8f26e5c453d7719fa

SHA1
a03c89cfc9dc34a6ae8b64808ca5da8a32b345d8

SHA256
6f9f8dd3592ecb13bc051f6cb229883d20e811852f3e2b789e4a0176c66cae3a

SHA512
91b202b134386316f978edd54a6c4af6e247b2b5f0cc1a7635922e4148791072e8d3263049f432b19c0c10fed223e180573dc50ae1a056b6f7f9cc6c80b9a558

Download Submit
\Users\Admin\AppData\Local\Snow Software\SSA\snow64.exe

Filesize
4.4MB

MD5
92881ec3f6c1bd490279e6d8a1c71bf0

SHA1
96df20644726b1231004359e070b80f651133db1

SHA256
113626d6cc8596df5c5d9d667bb2d278b9a999a62b92eb13a5c77d2a6cbfb253

SHA512
33ec136f5b6c731b53e7b8cd512864f91969c591f5ef74f7035aa257a42109a315495946a9e038ac6c0ea337c41b345b29d2cd2b23d2ec42091a04db88393924

Download Submit