8ef6fb342ffe00a8be99115d68fca3c83a8d6c7b8b1c0826f5b405dbec673013

General

Target

2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe
Size

6.0MB
MD5

5cf13d7c5d45c101956e5c18a72b0f30
SHA1

6523f525eaef88b27238033a64f30d1a6e090e9f
SHA256

8ef6fb342ffe00a8be99115d68fca3c83a8d6c7b8b1c0826f5b405dbec673013
SHA512

257b022ac8dde4e05a127e81af2a2e3469b2a3ebbd2fa7f4ade48c9cbc275623b815b862c8e373a75a4a5e6427a96a019d4650e0baba1c693c0fcc72444cd901
SSDEEP

98304:w1SCUlJurbOI+gHDDV4twpmVKePTRcRoDGWHCWf7Hd0FLEIbhF:gkJurjDDWtq+ryRsGWHzH2FgoD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2920	optsetup.exe
2832	optsetup.tmp

Loads dropped DLL 6 IoCs

pid	Process
1848	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe
2920	optsetup.exe
2832	optsetup.tmp
2832	optsetup.tmp
2832	optsetup.tmp
2832	optsetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	optsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	optsetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	optsetup.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	optsetup.tmp

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1848	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	optsetup.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2920	1848	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe	31
PID 1848 wrote to memory of 2920	1848	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe	31
PID 1848 wrote to memory of 2920	1848	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe	31
PID 1848 wrote to memory of 2920	1848	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe	31
PID 1848 wrote to memory of 2920	1848	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe	31
PID 1848 wrote to memory of 2920	1848	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe	31
PID 1848 wrote to memory of 2920	1848	2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe	31
PID 2920 wrote to memory of 2832	2920	optsetup.exe	32
PID 2920 wrote to memory of 2832	2920	optsetup.exe	32
PID 2920 wrote to memory of 2832	2920	optsetup.exe	32
PID 2920 wrote to memory of 2832	2920	optsetup.exe	32
PID 2920 wrote to memory of 2832	2920	optsetup.exe	32
PID 2920 wrote to memory of 2832	2920	optsetup.exe	32
PID 2920 wrote to memory of 2832	2920	optsetup.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_5cf13d7c5d45c101956e5c18a72b0f30_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\optsetup.exe
  C:\Users\Admin\AppData\Local\Temp\\optsetup.exe /MMJS
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\is-R31RJ.tmp\optsetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-R31RJ.tmp\optsetup.tmp" /SL5="$40150,5637987,115200,C:\Users\Admin\AppData\Local\Temp\optsetup.exe" /MMJS
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-LPVMV.tmp\OptProHelper.dll

Filesize
1.2MB

MD5
079f83c6472eb4b3cf3dafe6985eac9d

SHA1
2490436a78daaedcbbdd1ae18aaf4ab9d84e967a

SHA256
e16a72b781fa36755a5078516fb5f81b360f2ba70cb3bc5d958cca927c4ad450

SHA512
4a941bdc68d943e4c8f3773bbfa40850678e89b5162a2b17c22459eb53cfe61a31dfa4f6d68bc860b59b8d3aa8cb75b92ede273ca7387c9eeeaea9b46e133c81

Download Submit
\Users\Admin\AppData\Local\Temp\is-LPVMV.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LPVMV.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-R31RJ.tmp\optsetup.tmp

Filesize
1.1MB

MD5
c1695a7137063ff381449ccb4d334149

SHA1
bfa105eb86ad85b4ad84a181b99d105764e73d3f

SHA256
eede214913ae990b50226df807a7991eaf7c411834d32aefd98cd1cab8dbe70d

SHA512
c70027d9d1ce23a356cd2e25b45737a5df6f2126aed294591adce3ae7bc3ae3fd5c9115ee5ff6b70e8f6e6c084ede9bbe5ba01a250b526ef4f90cf0d56e75303

Download Submit
\Users\Admin\AppData\Local\Temp\optsetup.exe

Filesize
5.9MB

MD5
7400b3f5411e6207a462e9f9e6210d8f

SHA1
49e8cf6e00fc697cb734216b69d1b6014ccc4bec

SHA256
18263690f78227abe41d3fd3dd16c653af7fe2b4f8e35545b9e6f2eacc4692d8

SHA512
554e94001381b9faf90fa57051cd90a3813fc940dde5c4b589238ccb0ff245cfb4f148aca4b086922782669b137731a2463ff532db13066a65f06b4cd65eb39e

Download Submit
memory/2832-14-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2832-24-0x0000000001FF0000-0x000000000202C000-memory.dmp

Filesize
240KB

Download
memory/2832-28-0x0000000004030000-0x0000000004176000-memory.dmp

Filesize
1.3MB

Download
memory/2832-32-0x0000000001FF0000-0x000000000202C000-memory.dmp

Filesize
240KB

Download
memory/2832-33-0x0000000004030000-0x0000000004176000-memory.dmp

Filesize
1.3MB

Download
memory/2832-34-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2832-44-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2832-47-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2832-51-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2920-5-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2920-8-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2920-30-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing