Overview

overview

7

Static

static

1

2024-08-21...ia.exe

windows7-x64

7

2024-08-21...ia.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-21_b95b0b558379a7f41fee9513a914e547_mafia.exe

  • Size

    5.1MB

  • MD5

    b95b0b558379a7f41fee9513a914e547

  • SHA1

    9b47ca8e02a41fff4cf2b627c64f00ab806deeba

  • SHA256

    26d8f4296fc74002aad6375a24a117b4448521623e3891a31390c614406b51a1

  • SHA512

    6e34a7a5ad3905bc34423ad2ed877218601abd3553116c6df488d933bdc41c0dde7ad00d3e1ac18d3ee91366bc760b8b1bc7c31e42730882e7b513663ad405a6

  • SSDEEP

    49152:zCnZ0c2C4RG2WcMl1Du9pNAhhIuODDvu+3h9mYdh5ZeqeDIs6d57+/cTy1vdZ3PC:WPcUHlUFAhavx3h9XhPeqeDlX3uk

Score
7/10
bootkitdiscoveryevasionlateral_movementpersistencetrojan

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs

    Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

    lateral_movement
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-21_b95b0b558379a7f41fee9513a914e547_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-21_b95b0b558379a7f41fee9513a914e547_mafia.exe"
    1⤵
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Remote Services: SMB/Windows Admin Shares
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java" -version
      2⤵
        PID:4200
      • C:\Program Files\Java\jdk-1.8\bin\java.exe
        "C:\Program Files\Java\jdk-1.8\bin\java" -version
        2⤵
          PID:556
        • C:\Windows\SysWOW64\secedit.exe
          /export /cfg "C:\Users\Admin\AppData\Local\Temp\spc_se.txt" /quiet /areas SECURITYPOLICY
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4532
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalServicePeerNet -s p2pimsvc
        1⤵
          PID:1452
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:4352

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\sce17976.tmp
            Filesize

            12KB

            MD5

            009819c0abc869038a9d184bd7a9b6c7

            SHA1

            3ce497bc1ce7cb35209fd2a8556dabae7ee3adfe

            SHA256

            2fd69eb9a60ae80b0168ff8f4656e5981701f1558bf5707997b1ee9ba35c3185

            SHA512

            3fe0065e16ade01bda35f0c850b6a67cfbd0e3377e7470c67680f2502b76444261f6abc4dbd6ea2822d1a76f3d386c6f7af7aa5bd8f32659d15912428ec7b23d

            Download Submit

          • memory/556-31-0x0000021AEE0B0000-0x0000021AEE0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3596-0-0x0000000001560000-0x0000000001561000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3596-49-0x0000000001560000-0x0000000001561000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4200-7-0x00000261CC1B0000-0x00000261CC420000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4200-20-0x00000261CC1B0000-0x00000261CC420000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4200-19-0x00000261CC190000-0x00000261CC191000-memory.dmp

            Filesize

            4KB

            Download