Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
24-08-2024 06:02
General
-
Target
2024-08-24_daeff21cff07f9540b4eca3c47978265_mafia.exe
-
Size
529KB
-
MD5
daeff21cff07f9540b4eca3c47978265
-
SHA1
9476da87247990b87ea6625e949efdb4b0485078
-
SHA256
ebf09cce8686e044f02b7ce1253444f22213c9c395cfe04ea0ae43f311b568c1
-
SHA512
0907b76ed742b81abe55800b4759273de7aabcf1133adf6b8d389b8ba3f88af7145625ad9ccb670fe366c3fc9151e34fe10e52f0553ce77a00689bcb44cc876d
-
SSDEEP
12288:NU5rCOTeijyd7YgQNZnOb8HFIa26zTZwlH4Hp:NUQOJjyhYDe4HnhzTSlH4Hp
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-24_daeff21cff07f9540b4eca3c47978265_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-24_daeff21cff07f9540b4eca3c47978265_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ABFA.tmp"C:\Users\Admin\AppData\Local\Temp\ABFA.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AC97.tmp"C:\Users\Admin\AppData\Local\Temp\AC97.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AD23.tmp"C:\Users\Admin\AppData\Local\Temp\AD23.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ADCF.tmp"C:\Users\Admin\AppData\Local\Temp\ADCF.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AE5C.tmp"C:\Users\Admin\AppData\Local\Temp\AE5C.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AED9.tmp"C:\Users\Admin\AppData\Local\Temp\AED9.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AF56.tmp"C:\Users\Admin\AppData\Local\Temp\AF56.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AFF2.tmp"C:\Users\Admin\AppData\Local\Temp\AFF2.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B07F.tmp"C:\Users\Admin\AppData\Local\Temp\B07F.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B10B.tmp"C:\Users\Admin\AppData\Local\Temp\B10B.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B198.tmp"C:\Users\Admin\AppData\Local\Temp\B198.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B215.tmp"C:\Users\Admin\AppData\Local\Temp\B215.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B2A1.tmp"C:\Users\Admin\AppData\Local\Temp\B2A1.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B32E.tmp"C:\Users\Admin\AppData\Local\Temp\B32E.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B3CA.tmp"C:\Users\Admin\AppData\Local\Temp\B3CA.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B428.tmp"C:\Users\Admin\AppData\Local\Temp\B428.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B4C4.tmp"C:\Users\Admin\AppData\Local\Temp\B4C4.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B580.tmp"C:\Users\Admin\AppData\Local\Temp\B580.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B5ED.tmp"C:\Users\Admin\AppData\Local\Temp\B5ED.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B67A.tmp"C:\Users\Admin\AppData\Local\Temp\B67A.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B6F7.tmp"C:\Users\Admin\AppData\Local\Temp\B6F7.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B774.tmp"C:\Users\Admin\AppData\Local\Temp\B774.tmp"23⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B7E1.tmp"C:\Users\Admin\AppData\Local\Temp\B7E1.tmp"24⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B84F.tmp"C:\Users\Admin\AppData\Local\Temp\B84F.tmp"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\B8FA.tmp"C:\Users\Admin\AppData\Local\Temp\B8FA.tmp"26⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B987.tmp"C:\Users\Admin\AppData\Local\Temp\B987.tmp"27⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BA23.tmp"C:\Users\Admin\AppData\Local\Temp\BA23.tmp"28⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BAA0.tmp"C:\Users\Admin\AppData\Local\Temp\BAA0.tmp"29⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BB3D.tmp"C:\Users\Admin\AppData\Local\Temp\BB3D.tmp"30⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BBAA.tmp"C:\Users\Admin\AppData\Local\Temp\BBAA.tmp"31⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BC37.tmp"C:\Users\Admin\AppData\Local\Temp\BC37.tmp"32⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCB4.tmp"C:\Users\Admin\AppData\Local\Temp\BCB4.tmp"33⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BD40.tmp"C:\Users\Admin\AppData\Local\Temp\BD40.tmp"34⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BD8E.tmp"C:\Users\Admin\AppData\Local\Temp\BD8E.tmp"35⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BDEC.tmp"C:\Users\Admin\AppData\Local\Temp\BDEC.tmp"36⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BE4A.tmp"C:\Users\Admin\AppData\Local\Temp\BE4A.tmp"37⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BEA8.tmp"C:\Users\Admin\AppData\Local\Temp\BEA8.tmp"38⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BF15.tmp"C:\Users\Admin\AppData\Local\Temp\BF15.tmp"39⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BF63.tmp"C:\Users\Admin\AppData\Local\Temp\BF63.tmp"40⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BFD0.tmp"C:\Users\Admin\AppData\Local\Temp\BFD0.tmp"41⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C02E.tmp"C:\Users\Admin\AppData\Local\Temp\C02E.tmp"42⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C08C.tmp"C:\Users\Admin\AppData\Local\Temp\C08C.tmp"43⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C0EA.tmp"C:\Users\Admin\AppData\Local\Temp\C0EA.tmp"44⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C147.tmp"C:\Users\Admin\AppData\Local\Temp\C147.tmp"45⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C1B5.tmp"C:\Users\Admin\AppData\Local\Temp\C1B5.tmp"46⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C203.tmp"C:\Users\Admin\AppData\Local\Temp\C203.tmp"47⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C270.tmp"C:\Users\Admin\AppData\Local\Temp\C270.tmp"48⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C2CE.tmp"C:\Users\Admin\AppData\Local\Temp\C2CE.tmp"49⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C32C.tmp"C:\Users\Admin\AppData\Local\Temp\C32C.tmp"50⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C38A.tmp"C:\Users\Admin\AppData\Local\Temp\C38A.tmp"51⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C3E7.tmp"C:\Users\Admin\AppData\Local\Temp\C3E7.tmp"52⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C445.tmp"C:\Users\Admin\AppData\Local\Temp\C445.tmp"53⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C4B2.tmp"C:\Users\Admin\AppData\Local\Temp\C4B2.tmp"54⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C510.tmp"C:\Users\Admin\AppData\Local\Temp\C510.tmp"55⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C56E.tmp"C:\Users\Admin\AppData\Local\Temp\C56E.tmp"56⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C5DB.tmp"C:\Users\Admin\AppData\Local\Temp\C5DB.tmp"57⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C658.tmp"C:\Users\Admin\AppData\Local\Temp\C658.tmp"58⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C6A6.tmp"C:\Users\Admin\AppData\Local\Temp\C6A6.tmp"59⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C714.tmp"C:\Users\Admin\AppData\Local\Temp\C714.tmp"60⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C772.tmp"C:\Users\Admin\AppData\Local\Temp\C772.tmp"61⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C7DF.tmp"C:\Users\Admin\AppData\Local\Temp\C7DF.tmp"62⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C84C.tmp"C:\Users\Admin\AppData\Local\Temp\C84C.tmp"63⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C8AA.tmp"C:\Users\Admin\AppData\Local\Temp\C8AA.tmp"64⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C917.tmp"C:\Users\Admin\AppData\Local\Temp\C917.tmp"65⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C985.tmp"C:\Users\Admin\AppData\Local\Temp\C985.tmp"66⤵
-
C:\Users\Admin\AppData\Local\Temp\C9F2.tmp"C:\Users\Admin\AppData\Local\Temp\C9F2.tmp"67⤵
-
C:\Users\Admin\AppData\Local\Temp\CA60.tmp"C:\Users\Admin\AppData\Local\Temp\CA60.tmp"68⤵
-
C:\Users\Admin\AppData\Local\Temp\CACD.tmp"C:\Users\Admin\AppData\Local\Temp\CACD.tmp"69⤵
-
C:\Users\Admin\AppData\Local\Temp\CB3A.tmp"C:\Users\Admin\AppData\Local\Temp\CB3A.tmp"70⤵
-
C:\Users\Admin\AppData\Local\Temp\CBA8.tmp"C:\Users\Admin\AppData\Local\Temp\CBA8.tmp"71⤵
-
C:\Users\Admin\AppData\Local\Temp\CBF6.tmp"C:\Users\Admin\AppData\Local\Temp\CBF6.tmp"72⤵
-
C:\Users\Admin\AppData\Local\Temp\CC63.tmp"C:\Users\Admin\AppData\Local\Temp\CC63.tmp"73⤵
-
C:\Users\Admin\AppData\Local\Temp\CCD1.tmp"C:\Users\Admin\AppData\Local\Temp\CCD1.tmp"74⤵
-
C:\Users\Admin\AppData\Local\Temp\CD4E.tmp"C:\Users\Admin\AppData\Local\Temp\CD4E.tmp"75⤵
-
C:\Users\Admin\AppData\Local\Temp\CDAB.tmp"C:\Users\Admin\AppData\Local\Temp\CDAB.tmp"76⤵
-
C:\Users\Admin\AppData\Local\Temp\CE19.tmp"C:\Users\Admin\AppData\Local\Temp\CE19.tmp"77⤵
-
C:\Users\Admin\AppData\Local\Temp\CE76.tmp"C:\Users\Admin\AppData\Local\Temp\CE76.tmp"78⤵
-
C:\Users\Admin\AppData\Local\Temp\CEE4.tmp"C:\Users\Admin\AppData\Local\Temp\CEE4.tmp"79⤵
-
C:\Users\Admin\AppData\Local\Temp\CF42.tmp"C:\Users\Admin\AppData\Local\Temp\CF42.tmp"80⤵
-
C:\Users\Admin\AppData\Local\Temp\CFAF.tmp"C:\Users\Admin\AppData\Local\Temp\CFAF.tmp"81⤵
-
C:\Users\Admin\AppData\Local\Temp\D01C.tmp"C:\Users\Admin\AppData\Local\Temp\D01C.tmp"82⤵
-
C:\Users\Admin\AppData\Local\Temp\D08A.tmp"C:\Users\Admin\AppData\Local\Temp\D08A.tmp"83⤵
-
C:\Users\Admin\AppData\Local\Temp\D0F7.tmp"C:\Users\Admin\AppData\Local\Temp\D0F7.tmp"84⤵
-
C:\Users\Admin\AppData\Local\Temp\D164.tmp"C:\Users\Admin\AppData\Local\Temp\D164.tmp"85⤵
-
C:\Users\Admin\AppData\Local\Temp\D1C2.tmp"C:\Users\Admin\AppData\Local\Temp\D1C2.tmp"86⤵
-
C:\Users\Admin\AppData\Local\Temp\D210.tmp"C:\Users\Admin\AppData\Local\Temp\D210.tmp"87⤵
-
C:\Users\Admin\AppData\Local\Temp\D26E.tmp"C:\Users\Admin\AppData\Local\Temp\D26E.tmp"88⤵
-
C:\Users\Admin\AppData\Local\Temp\D2DB.tmp"C:\Users\Admin\AppData\Local\Temp\D2DB.tmp"89⤵
-
C:\Users\Admin\AppData\Local\Temp\D339.tmp"C:\Users\Admin\AppData\Local\Temp\D339.tmp"90⤵
-
C:\Users\Admin\AppData\Local\Temp\D397.tmp"C:\Users\Admin\AppData\Local\Temp\D397.tmp"91⤵
-
C:\Users\Admin\AppData\Local\Temp\D3F5.tmp"C:\Users\Admin\AppData\Local\Temp\D3F5.tmp"92⤵
-
C:\Users\Admin\AppData\Local\Temp\D452.tmp"C:\Users\Admin\AppData\Local\Temp\D452.tmp"93⤵
-
C:\Users\Admin\AppData\Local\Temp\D4B0.tmp"C:\Users\Admin\AppData\Local\Temp\D4B0.tmp"94⤵
-
C:\Users\Admin\AppData\Local\Temp\D4FE.tmp"C:\Users\Admin\AppData\Local\Temp\D4FE.tmp"95⤵
-
C:\Users\Admin\AppData\Local\Temp\D54C.tmp"C:\Users\Admin\AppData\Local\Temp\D54C.tmp"96⤵
-
C:\Users\Admin\AppData\Local\Temp\D59B.tmp"C:\Users\Admin\AppData\Local\Temp\D59B.tmp"97⤵
-
C:\Users\Admin\AppData\Local\Temp\D608.tmp"C:\Users\Admin\AppData\Local\Temp\D608.tmp"98⤵
-
C:\Users\Admin\AppData\Local\Temp\D656.tmp"C:\Users\Admin\AppData\Local\Temp\D656.tmp"99⤵
-
C:\Users\Admin\AppData\Local\Temp\D6B4.tmp"C:\Users\Admin\AppData\Local\Temp\D6B4.tmp"100⤵
-
C:\Users\Admin\AppData\Local\Temp\D712.tmp"C:\Users\Admin\AppData\Local\Temp\D712.tmp"101⤵
-
C:\Users\Admin\AppData\Local\Temp\D77F.tmp"C:\Users\Admin\AppData\Local\Temp\D77F.tmp"102⤵
-
C:\Users\Admin\AppData\Local\Temp\D7DD.tmp"C:\Users\Admin\AppData\Local\Temp\D7DD.tmp"103⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\D82B.tmp"C:\Users\Admin\AppData\Local\Temp\D82B.tmp"104⤵
-
C:\Users\Admin\AppData\Local\Temp\D898.tmp"C:\Users\Admin\AppData\Local\Temp\D898.tmp"105⤵
-
C:\Users\Admin\AppData\Local\Temp\D906.tmp"C:\Users\Admin\AppData\Local\Temp\D906.tmp"106⤵
-
C:\Users\Admin\AppData\Local\Temp\D963.tmp"C:\Users\Admin\AppData\Local\Temp\D963.tmp"107⤵
-
C:\Users\Admin\AppData\Local\Temp\D9B1.tmp"C:\Users\Admin\AppData\Local\Temp\D9B1.tmp"108⤵
-
C:\Users\Admin\AppData\Local\Temp\DA0F.tmp"C:\Users\Admin\AppData\Local\Temp\DA0F.tmp"109⤵
-
C:\Users\Admin\AppData\Local\Temp\DA7D.tmp"C:\Users\Admin\AppData\Local\Temp\DA7D.tmp"110⤵
-
C:\Users\Admin\AppData\Local\Temp\DADA.tmp"C:\Users\Admin\AppData\Local\Temp\DADA.tmp"111⤵
-
C:\Users\Admin\AppData\Local\Temp\DB38.tmp"C:\Users\Admin\AppData\Local\Temp\DB38.tmp"112⤵
-
C:\Users\Admin\AppData\Local\Temp\DB96.tmp"C:\Users\Admin\AppData\Local\Temp\DB96.tmp"113⤵
-
C:\Users\Admin\AppData\Local\Temp\DC03.tmp"C:\Users\Admin\AppData\Local\Temp\DC03.tmp"114⤵
-
C:\Users\Admin\AppData\Local\Temp\DC71.tmp"C:\Users\Admin\AppData\Local\Temp\DC71.tmp"115⤵
-
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp"C:\Users\Admin\AppData\Local\Temp\DCCE.tmp"116⤵
-
C:\Users\Admin\AppData\Local\Temp\DD1C.tmp"C:\Users\Admin\AppData\Local\Temp\DD1C.tmp"117⤵
-
C:\Users\Admin\AppData\Local\Temp\DD8A.tmp"C:\Users\Admin\AppData\Local\Temp\DD8A.tmp"118⤵
-
C:\Users\Admin\AppData\Local\Temp\DDF7.tmp"C:\Users\Admin\AppData\Local\Temp\DDF7.tmp"119⤵
-
C:\Users\Admin\AppData\Local\Temp\DE45.tmp"C:\Users\Admin\AppData\Local\Temp\DE45.tmp"120⤵
-
C:\Users\Admin\AppData\Local\Temp\DE93.tmp"C:\Users\Admin\AppData\Local\Temp\DE93.tmp"121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-