cf4b0a82d0da831d106eae1badbbb6bfbbbbdde3951a51bab3b84f57a0d10c9a

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 11:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe
Size

428KB
MD5

e53e777f83aea53b8a111655cd724860
SHA1

afa520c096ac1e751ffce27ed6c56b8dd576e176
SHA256

cf4b0a82d0da831d106eae1badbbb6bfbbbbdde3951a51bab3b84f57a0d10c9a
SHA512

f3229be13a5d8f87787e50bf9908374854ef8250f8f31b5d21c0bb5a2eea4d6e39924841f78c8ab0f78bd80aac90ad81c1317a5eabafb94f69c37b656606a7b4
SSDEEP

12288:Z594+AcL4tBekiuKzErRleIJCfil+xOhLwTl:BL4tBekiuVrR0Nw+G2

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2028	C4F4.tmp

Executes dropped EXE 1 IoCs

pid	Process
2028	C4F4.tmp

Loads dropped DLL 1 IoCs

pid	Process
2036	2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C4F4.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2028	2036	2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe	30
PID 2036 wrote to memory of 2028	2036	2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe	30
PID 2036 wrote to memory of 2028	2036	2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe	30
PID 2036 wrote to memory of 2028	2036	2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\C4F4.tmp
  "C:\Users\Admin\AppData\Local\Temp\C4F4.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-08-23_e53e777f83aea53b8a111655cd724860_mafia.exe FCFEB38F1671609C3C80734F016215D826C9E5039F4443C03DBB9B91FDBC4F9059933F224A22497AEAB0CA609F1D7E7D6E10D99CE2EA9AD68431FF02ACBE5B18
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\C4F4.tmp

Filesize
428KB

MD5
c7061d17eb568b472888b49088d7846f

SHA1
fbd0aaa46ad15d2f7cc793198f664d01620a5080

SHA256
447a6f898dcc93676ee4df399003b269d00b7c40fc868a6ca0856eb8bec05ebc

SHA512
d5342436637f72691ff36862b1621e3077f268ec309d08fcbf99cb12c7739f526791fd22f40b31077f98f7660e4c7e2886a42657b3bf179e2b671f2fd41973db

Download Submit