Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03/09/2024, 06:13
General
-
Target
2024-09-03_81a6c3286033fcc0c27ae411e5352f4c_mafia.exe
-
Size
712KB
-
MD5
81a6c3286033fcc0c27ae411e5352f4c
-
SHA1
76a8a97f08c8a406d15e20f0a8ac026c0f0c8024
-
SHA256
0527d2574dc291821b463382b5c9e68e677cfee9f40eb0202d0c4b21e75017b4
-
SHA512
81e06c696c954d5d3c7bcaadf727bcdb59eb4416f854eb4965586035a5a2b6ab55c684a91105d5493e1180405fef9d58773e7f331127eb829676299e558b6237
-
SSDEEP
12288:FU5rCOTeiDe8vV+EpYDFU+6XBa930dNZdCvq5TJLCvY90D8/LVBlVk736Y79GWzC:FUQOJDTHYDFU+6XUONnCvq5TJLCvY90E
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-03_81a6c3286033fcc0c27ae411e5352f4c_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-03_81a6c3286033fcc0c27ae411e5352f4c_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1827.tmp"C:\Users\Admin\AppData\Local\Temp\1827.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18B3.tmp"C:\Users\Admin\AppData\Local\Temp\18B3.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1AA7.tmp"C:\Users\Admin\AppData\Local\Temp\1AA7.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1B82.tmp"C:\Users\Admin\AppData\Local\Temp\1B82.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1C1E.tmp"C:\Users\Admin\AppData\Local\Temp\1C1E.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1CAB.tmp"C:\Users\Admin\AppData\Local\Temp\1CAB.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1D57.tmp"C:\Users\Admin\AppData\Local\Temp\1D57.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1E03.tmp"C:\Users\Admin\AppData\Local\Temp\1E03.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1E70.tmp"C:\Users\Admin\AppData\Local\Temp\1E70.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1F0C.tmp"C:\Users\Admin\AppData\Local\Temp\1F0C.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1FB8.tmp"C:\Users\Admin\AppData\Local\Temp\1FB8.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2045.tmp"C:\Users\Admin\AppData\Local\Temp\2045.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20D1.tmp"C:\Users\Admin\AppData\Local\Temp\20D1.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\218D.tmp"C:\Users\Admin\AppData\Local\Temp\218D.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2219.tmp"C:\Users\Admin\AppData\Local\Temp\2219.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2296.tmp"C:\Users\Admin\AppData\Local\Temp\2296.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2323.tmp"C:\Users\Admin\AppData\Local\Temp\2323.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\23CF.tmp"C:\Users\Admin\AppData\Local\Temp\23CF.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\244C.tmp"C:\Users\Admin\AppData\Local\Temp\244C.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\24C9.tmp"C:\Users\Admin\AppData\Local\Temp\24C9.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\25A4.tmp"C:\Users\Admin\AppData\Local\Temp\25A4.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2630.tmp"C:\Users\Admin\AppData\Local\Temp\2630.tmp"23⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\26BD.tmp"C:\Users\Admin\AppData\Local\Temp\26BD.tmp"24⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\273A.tmp"C:\Users\Admin\AppData\Local\Temp\273A.tmp"25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\27F5.tmp"C:\Users\Admin\AppData\Local\Temp\27F5.tmp"26⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2882.tmp"C:\Users\Admin\AppData\Local\Temp\2882.tmp"27⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\294D.tmp"C:\Users\Admin\AppData\Local\Temp\294D.tmp"28⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\29E9.tmp"C:\Users\Admin\AppData\Local\Temp\29E9.tmp"29⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2AA5.tmp"C:\Users\Admin\AppData\Local\Temp\2AA5.tmp"30⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2B22.tmp"C:\Users\Admin\AppData\Local\Temp\2B22.tmp"31⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2BCE.tmp"C:\Users\Admin\AppData\Local\Temp\2BCE.tmp"32⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2C7A.tmp"C:\Users\Admin\AppData\Local\Temp\2C7A.tmp"33⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2CF7.tmp"C:\Users\Admin\AppData\Local\Temp\2CF7.tmp"34⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2D64.tmp"C:\Users\Admin\AppData\Local\Temp\2D64.tmp"35⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2DD1.tmp"C:\Users\Admin\AppData\Local\Temp\2DD1.tmp"36⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2E3F.tmp"C:\Users\Admin\AppData\Local\Temp\2E3F.tmp"37⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2EAC.tmp"C:\Users\Admin\AppData\Local\Temp\2EAC.tmp"38⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2EFA.tmp"C:\Users\Admin\AppData\Local\Temp\2EFA.tmp"39⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2F58.tmp"C:\Users\Admin\AppData\Local\Temp\2F58.tmp"40⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2FB6.tmp"C:\Users\Admin\AppData\Local\Temp\2FB6.tmp"41⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3004.tmp"C:\Users\Admin\AppData\Local\Temp\3004.tmp"42⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3081.tmp"C:\Users\Admin\AppData\Local\Temp\3081.tmp"43⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\30DF.tmp"C:\Users\Admin\AppData\Local\Temp\30DF.tmp"44⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\313C.tmp"C:\Users\Admin\AppData\Local\Temp\313C.tmp"45⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\319A.tmp"C:\Users\Admin\AppData\Local\Temp\319A.tmp"46⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3208.tmp"C:\Users\Admin\AppData\Local\Temp\3208.tmp"47⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3265.tmp"C:\Users\Admin\AppData\Local\Temp\3265.tmp"48⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\32D3.tmp"C:\Users\Admin\AppData\Local\Temp\32D3.tmp"49⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3321.tmp"C:\Users\Admin\AppData\Local\Temp\3321.tmp"50⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\337F.tmp"C:\Users\Admin\AppData\Local\Temp\337F.tmp"51⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\33EC.tmp"C:\Users\Admin\AppData\Local\Temp\33EC.tmp"52⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3459.tmp"C:\Users\Admin\AppData\Local\Temp\3459.tmp"53⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\34B7.tmp"C:\Users\Admin\AppData\Local\Temp\34B7.tmp"54⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3515.tmp"C:\Users\Admin\AppData\Local\Temp\3515.tmp"55⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582.tmp"C:\Users\Admin\AppData\Local\Temp\3582.tmp"56⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\35F0.tmp"C:\Users\Admin\AppData\Local\Temp\35F0.tmp"57⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\365D.tmp"C:\Users\Admin\AppData\Local\Temp\365D.tmp"58⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\36BB.tmp"C:\Users\Admin\AppData\Local\Temp\36BB.tmp"59⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3718.tmp"C:\Users\Admin\AppData\Local\Temp\3718.tmp"60⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3776.tmp"C:\Users\Admin\AppData\Local\Temp\3776.tmp"61⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\37E4.tmp"C:\Users\Admin\AppData\Local\Temp\37E4.tmp"62⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3851.tmp"C:\Users\Admin\AppData\Local\Temp\3851.tmp"63⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\38AF.tmp"C:\Users\Admin\AppData\Local\Temp\38AF.tmp"64⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\391C.tmp"C:\Users\Admin\AppData\Local\Temp\391C.tmp"65⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\397A.tmp"C:\Users\Admin\AppData\Local\Temp\397A.tmp"66⤵
-
C:\Users\Admin\AppData\Local\Temp\39E7.tmp"C:\Users\Admin\AppData\Local\Temp\39E7.tmp"67⤵
-
C:\Users\Admin\AppData\Local\Temp\3A35.tmp"C:\Users\Admin\AppData\Local\Temp\3A35.tmp"68⤵
-
C:\Users\Admin\AppData\Local\Temp\3AA3.tmp"C:\Users\Admin\AppData\Local\Temp\3AA3.tmp"69⤵
-
C:\Users\Admin\AppData\Local\Temp\3B10.tmp"C:\Users\Admin\AppData\Local\Temp\3B10.tmp"70⤵
-
C:\Users\Admin\AppData\Local\Temp\3B7D.tmp"C:\Users\Admin\AppData\Local\Temp\3B7D.tmp"71⤵
-
C:\Users\Admin\AppData\Local\Temp\3BDB.tmp"C:\Users\Admin\AppData\Local\Temp\3BDB.tmp"72⤵
-
C:\Users\Admin\AppData\Local\Temp\3C49.tmp"C:\Users\Admin\AppData\Local\Temp\3C49.tmp"73⤵
-
C:\Users\Admin\AppData\Local\Temp\3CB6.tmp"C:\Users\Admin\AppData\Local\Temp\3CB6.tmp"74⤵
-
C:\Users\Admin\AppData\Local\Temp\3D14.tmp"C:\Users\Admin\AppData\Local\Temp\3D14.tmp"75⤵
-
C:\Users\Admin\AppData\Local\Temp\3D81.tmp"C:\Users\Admin\AppData\Local\Temp\3D81.tmp"76⤵
-
C:\Users\Admin\AppData\Local\Temp\3DCF.tmp"C:\Users\Admin\AppData\Local\Temp\3DCF.tmp"77⤵
-
C:\Users\Admin\AppData\Local\Temp\3E2D.tmp"C:\Users\Admin\AppData\Local\Temp\3E2D.tmp"78⤵
-
C:\Users\Admin\AppData\Local\Temp\3E8B.tmp"C:\Users\Admin\AppData\Local\Temp\3E8B.tmp"79⤵
-
C:\Users\Admin\AppData\Local\Temp\3ED9.tmp"C:\Users\Admin\AppData\Local\Temp\3ED9.tmp"80⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\3F37.tmp"C:\Users\Admin\AppData\Local\Temp\3F37.tmp"81⤵
-
C:\Users\Admin\AppData\Local\Temp\3F85.tmp"C:\Users\Admin\AppData\Local\Temp\3F85.tmp"82⤵
-
C:\Users\Admin\AppData\Local\Temp\3FD3.tmp"C:\Users\Admin\AppData\Local\Temp\3FD3.tmp"83⤵
-
C:\Users\Admin\AppData\Local\Temp\4031.tmp"C:\Users\Admin\AppData\Local\Temp\4031.tmp"84⤵
-
C:\Users\Admin\AppData\Local\Temp\408E.tmp"C:\Users\Admin\AppData\Local\Temp\408E.tmp"85⤵
-
C:\Users\Admin\AppData\Local\Temp\40EC.tmp"C:\Users\Admin\AppData\Local\Temp\40EC.tmp"86⤵
-
C:\Users\Admin\AppData\Local\Temp\414A.tmp"C:\Users\Admin\AppData\Local\Temp\414A.tmp"87⤵
-
C:\Users\Admin\AppData\Local\Temp\41A8.tmp"C:\Users\Admin\AppData\Local\Temp\41A8.tmp"88⤵
-
C:\Users\Admin\AppData\Local\Temp\4205.tmp"C:\Users\Admin\AppData\Local\Temp\4205.tmp"89⤵
-
C:\Users\Admin\AppData\Local\Temp\4263.tmp"C:\Users\Admin\AppData\Local\Temp\4263.tmp"90⤵
-
C:\Users\Admin\AppData\Local\Temp\42D0.tmp"C:\Users\Admin\AppData\Local\Temp\42D0.tmp"91⤵
-
C:\Users\Admin\AppData\Local\Temp\432E.tmp"C:\Users\Admin\AppData\Local\Temp\432E.tmp"92⤵
-
C:\Users\Admin\AppData\Local\Temp\438C.tmp"C:\Users\Admin\AppData\Local\Temp\438C.tmp"93⤵
-
C:\Users\Admin\AppData\Local\Temp\43EA.tmp"C:\Users\Admin\AppData\Local\Temp\43EA.tmp"94⤵
-
C:\Users\Admin\AppData\Local\Temp\4438.tmp"C:\Users\Admin\AppData\Local\Temp\4438.tmp"95⤵
-
C:\Users\Admin\AppData\Local\Temp\4486.tmp"C:\Users\Admin\AppData\Local\Temp\4486.tmp"96⤵
-
C:\Users\Admin\AppData\Local\Temp\44D4.tmp"C:\Users\Admin\AppData\Local\Temp\44D4.tmp"97⤵
-
C:\Users\Admin\AppData\Local\Temp\4541.tmp"C:\Users\Admin\AppData\Local\Temp\4541.tmp"98⤵
-
C:\Users\Admin\AppData\Local\Temp\4590.tmp"C:\Users\Admin\AppData\Local\Temp\4590.tmp"99⤵
-
C:\Users\Admin\AppData\Local\Temp\45DE.tmp"C:\Users\Admin\AppData\Local\Temp\45DE.tmp"100⤵
-
C:\Users\Admin\AppData\Local\Temp\463B.tmp"C:\Users\Admin\AppData\Local\Temp\463B.tmp"101⤵
-
C:\Users\Admin\AppData\Local\Temp\46A9.tmp"C:\Users\Admin\AppData\Local\Temp\46A9.tmp"102⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\4707.tmp"C:\Users\Admin\AppData\Local\Temp\4707.tmp"103⤵
-
C:\Users\Admin\AppData\Local\Temp\4764.tmp"C:\Users\Admin\AppData\Local\Temp\4764.tmp"104⤵
-
C:\Users\Admin\AppData\Local\Temp\47C2.tmp"C:\Users\Admin\AppData\Local\Temp\47C2.tmp"105⤵
-
C:\Users\Admin\AppData\Local\Temp\4820.tmp"C:\Users\Admin\AppData\Local\Temp\4820.tmp"106⤵
-
C:\Users\Admin\AppData\Local\Temp\488D.tmp"C:\Users\Admin\AppData\Local\Temp\488D.tmp"107⤵
-
C:\Users\Admin\AppData\Local\Temp\48FB.tmp"C:\Users\Admin\AppData\Local\Temp\48FB.tmp"108⤵
-
C:\Users\Admin\AppData\Local\Temp\4949.tmp"C:\Users\Admin\AppData\Local\Temp\4949.tmp"109⤵
-
C:\Users\Admin\AppData\Local\Temp\4997.tmp"C:\Users\Admin\AppData\Local\Temp\4997.tmp"110⤵
-
C:\Users\Admin\AppData\Local\Temp\49F5.tmp"C:\Users\Admin\AppData\Local\Temp\49F5.tmp"111⤵
-
C:\Users\Admin\AppData\Local\Temp\4A52.tmp"C:\Users\Admin\AppData\Local\Temp\4A52.tmp"112⤵
-
C:\Users\Admin\AppData\Local\Temp\4AB0.tmp"C:\Users\Admin\AppData\Local\Temp\4AB0.tmp"113⤵
-
C:\Users\Admin\AppData\Local\Temp\4B1D.tmp"C:\Users\Admin\AppData\Local\Temp\4B1D.tmp"114⤵
-
C:\Users\Admin\AppData\Local\Temp\4B6C.tmp"C:\Users\Admin\AppData\Local\Temp\4B6C.tmp"115⤵
-
C:\Users\Admin\AppData\Local\Temp\4BBA.tmp"C:\Users\Admin\AppData\Local\Temp\4BBA.tmp"116⤵
-
C:\Users\Admin\AppData\Local\Temp\4C17.tmp"C:\Users\Admin\AppData\Local\Temp\4C17.tmp"117⤵
-
C:\Users\Admin\AppData\Local\Temp\4C75.tmp"C:\Users\Admin\AppData\Local\Temp\4C75.tmp"118⤵
-
C:\Users\Admin\AppData\Local\Temp\4CD3.tmp"C:\Users\Admin\AppData\Local\Temp\4CD3.tmp"119⤵
-
C:\Users\Admin\AppData\Local\Temp\4D31.tmp"C:\Users\Admin\AppData\Local\Temp\4D31.tmp"120⤵
-
C:\Users\Admin\AppData\Local\Temp\4D8E.tmp"C:\Users\Admin\AppData\Local\Temp\4D8E.tmp"121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-