310562e2befc744bb0d35c20fdd4a342b085d3271a1ce623100f238cf72ada12

Analysis

max time kernel
10s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 21:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe
Size

433KB
MD5

10fdb86546dcaa2c394a6914f0a3523b
SHA1

51e1129d90b2ce1507a57939d12423fab487a79e
SHA256

310562e2befc744bb0d35c20fdd4a342b085d3271a1ce623100f238cf72ada12
SHA512

0aca980e393b0a4ff3a67c9e9e2e86c488eb5ac272d90ef7c7208f14d34aa9c45740b699393b893512a9440566192e2706e415e9d1ebc74ccc110ea7037d869b
SSDEEP

12288:Ci4g+yU+0pAiv+vC9sQXsJCU9viAOSbLncQOP1SSEzn:Ci4gXn0pD+aiJDdFbYKSO

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1792	D2A.tmp

Executes dropped EXE 1 IoCs

pid	Process
1792	D2A.tmp

Loads dropped DLL 1 IoCs

pid	Process
3012	2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D2A.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1792	3012	2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe	29
PID 3012 wrote to memory of 1792	3012	2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe	29
PID 3012 wrote to memory of 1792	3012	2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe	29
PID 3012 wrote to memory of 1792	3012	2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\D2A.tmp
  "C:\Users\Admin\AppData\Local\Temp\D2A.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-08-16_10fdb86546dcaa2c394a6914f0a3523b_mafia.exe CF0C3E3777602AC7C3782CEF69E0120739997BA4285E6547B364633B2967DBFE18A60BC6E9EC6DAC9DFA2BAB85A2EE3BCCE73E16A36C80C757943AE0232F9D68
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D2A.tmp

Filesize
433KB

MD5
d2b6d18ed0edc1a6265f753a24363e6b

SHA1
16cbc204f517ecfef7e898e1c8467880df5657d8

SHA256
995d52ba172ea38a9c2666a1c98a53ac769800fed1efa7998202b0443fb727e6

SHA512
388cdde713aeb609c5bb95bd72764f5df8e262348551460c74474b39f37b4e1fa007c2d19a1d2678af87895f73f0721c69d9ecffc4012ca985228d5b3abea5e4

Download Submit