129206afe3923bd775ac814ae13d78bd381e5873ec4f9517afc75a69d5a8cd18

General

Target

2024-09-07_72f1329d91d27848cee4f5f6157d8965_mafia_revil.exe
Size

5.0MB
MD5

72f1329d91d27848cee4f5f6157d8965
SHA1

409a41b98af0f14ff3e347beea00e0afbcb83ef0
SHA256

129206afe3923bd775ac814ae13d78bd381e5873ec4f9517afc75a69d5a8cd18
SHA512

314234e1bc8f715c8522b7b77606a3e1d5c0b6368ca5859b04f12b4d5c14d80444790a1e9b6b9f990487061f7f55644f6e70e6652de5437f515040b22b67e9d0
SSDEEP

98304:DGUog8ijd6uFpQCeGH0WvKODFQAJIC/tQnN+J7:nog8ip4GH0IVFQgIC/7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1720	Iquumm.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-6-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/2184-4-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/2184-15-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/2184-1-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/2184-5-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/1720-28-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/2744-45-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/2184-46-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/2744-49-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/2744-48-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/1720-43-0x0000000010000000-0x00000000103A6000-memory.dmp	upx
behavioral1/memory/2744-52-0x0000000010000000-0x00000000103A6000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	2024-09-07_72f1329d91d27848cee4f5f6157d8965_mafia_revil.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\Iquumm.exe	2024-09-07_72f1329d91d27848cee4f5f6157d8965_mafia_revil.exe
File opened for modification	C:\windows\Iquumm.exe	2024-09-07_72f1329d91d27848cee4f5f6157d8965_mafia_revil.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iquumm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2744	1720	Iquumm.exe	32
PID 1720 wrote to memory of 2744	1720	Iquumm.exe	32
PID 1720 wrote to memory of 2744	1720	Iquumm.exe	32
PID 1720 wrote to memory of 2744	1720	Iquumm.exe	32
PID 1720 wrote to memory of 2744	1720	Iquumm.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-09-07_72f1329d91d27848cee4f5f6157d8965_mafia_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_72f1329d91d27848cee4f5f6157d8965_mafia_revil.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2184

C:\windows\Iquumm.exe
C:\windows\Iquumm.exe -svc
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -Puppet
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Kernel.txt

Filesize
62B

MD5
ad634d3d7aedd02d1a4604a46d70f5b5

SHA1
a4289d77b79cf3fd3cde83b77dd554bb5af7fa16

SHA256
f8000450e662248dbf72426b1c8ce3c30b8cf29eca5b3d545c76de1ed75811f5

SHA512
92172c42bfc359ace08c16d92a92e6883c0593d81023ce1d9f29034f53fc3c0ee768e56415b8c1a70410a79d91116e0d1fd7cf316cee42353ae18cffd528dfad

Download Submit
C:\Kernel.txt

Filesize
106B

MD5
c922efffdb67dc51e04a21b1ac6dd00d

SHA1
c506f9f86cf78b78a3ba7e425f6bfd1e524bec6b

SHA256
2ff1c13878d938dac4abf7c9700ab193fa9ee4476dcd6a47e2c0786a21f3b6db

SHA512
108acbc9c6c74665e20c24063fb5e2b9b7bff07c8f86fd2cf39b4fd7bb2130d90a23de38607acc539c3e201f8ccb2dbe988a2a973288a79115a29e8e2744db78

Download Submit
C:\Users\Public\Documents\netuser.tmp

Filesize
260B

MD5
efb6fefd3c4bb56ed573b2705b316e1b

SHA1
a08b42e4382c29440ad91698ff7fee77ceb78682

SHA256
95560c0a718a241ef6afbb21e5f87804fb0c6352ed535c50740adf32a0088f7a

SHA512
cf8579734774b32c67b21590f10e0e997fbb2886bdf9cc33b5a7cd9080c2473c73540f698d1f2f09c70fbe70ddfa1844464f57fb4b36f1a947eb2e13d307065d

Download Submit
C:\Windows\Iquumm.exe

Filesize
5.0MB

MD5
72f1329d91d27848cee4f5f6157d8965

SHA1
409a41b98af0f14ff3e347beea00e0afbcb83ef0

SHA256
129206afe3923bd775ac814ae13d78bd381e5873ec4f9517afc75a69d5a8cd18

SHA512
314234e1bc8f715c8522b7b77606a3e1d5c0b6368ca5859b04f12b4d5c14d80444790a1e9b6b9f990487061f7f55644f6e70e6652de5437f515040b22b67e9d0

Download Submit
memory/1720-43-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/1720-28-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2184-1-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2184-5-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2184-0-0x0000000002CA0000-0x0000000002E1A000-memory.dmp

Filesize
1.5MB

Download
memory/2184-46-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2184-15-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2184-4-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2184-6-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2744-29-0x0000000000170000-0x00000000002EA000-memory.dmp

Filesize
1.5MB

Download
memory/2744-45-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2744-49-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2744-48-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download
memory/2744-52-0x0000000010000000-0x00000000103A6000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing