09b68f9ce32037ae064faa3a5f05d2ecd5ff41395a57abfadadaf190143d3a7c

General

Target

2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
Size

1.1MB
MD5

7add28f0756bfd8d80c4ce4c149a31cd
SHA1

835ad3d5de32f9b736364ed045b1a89f700ea3eb
SHA256

09b68f9ce32037ae064faa3a5f05d2ecd5ff41395a57abfadadaf190143d3a7c
SHA512

473b900fa54fa736042cfdae0246cd80031af0a1f953f9dd572ebce47488d292d618ff83094da58be36d6a2b5ecc190e0ddf681deedfc7c2ed5b347a8726955b
SSDEEP

24576:Iq4w/ekieH6wDgpH5IvSV5NQELQ+ObwyZtpLDNr49oKZbH6:Iq4uekieH6wCIW5iEOw+rDNU9oKZba

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1724	EF00.tmp
2812	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
1724	EF00.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EF00.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1724	EF00.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2812	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
2812	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
2812	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2812	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
2812	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
2812	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 1724	2648	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe	30
PID 2648 wrote to memory of 1724	2648	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe	30
PID 2648 wrote to memory of 1724	2648	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe	30
PID 2648 wrote to memory of 1724	2648	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe	30
PID 1724 wrote to memory of 2812	1724	EF00.tmp	31
PID 1724 wrote to memory of 2812	1724	EF00.tmp	31
PID 1724 wrote to memory of 2812	1724	EF00.tmp	31
PID 1724 wrote to memory of 2812	1724	EF00.tmp	31

C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\EF00.tmp
  "C:\Users\Admin\AppData\Local\Temp\EF00.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe B37778D118E3737A93A028B20FBD471148ECFB2811EDEE5F9C66B39DFA803E781DE603D52EA314DACADBB1B8242C680DFBF020BC05F4AC19276138D39F69E5A6
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Filesize
1.9MB

MD5
8ac6cc3997acedbb6c59ed888ecbf886

SHA1
9250b0373cb2831805af992ef3efc133a3b28740

SHA256
a030f30bd86ab71672e2c83dfe61ed3ca83fd3f8d3ca10a5c79dd8c86f1dcf3c

SHA512
0d4c4326f342528df7134c6093f9128205ac663b0202bea4bd6e85421b5e7c2306bc4bcf80c46a97897195bcc8cb20979f95f4188b3a3af45aa3705b09472d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF00.tmp

Filesize
1.1MB

MD5
906daf86e4dc99dfc803b57a093bc56f

SHA1
8918bfd82acb0425a8566d18e271dd7f72f1d880

SHA256
95621e502b39c76d282a9b8dbeb249a74038649ad0cc103eeb2ef8eda28947fe

SHA512
e83ea41803c036242d556baf47671b35166289ff002292155bbe8a00fc671b2ed556b828e72c225e5e5a53157a06a3534528ff9b337712cb56e2ed75d4f46f6d

Download Submit
memory/2812-13-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2812-14-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing