09b68f9ce32037ae064faa3a5f05d2ecd5ff41395a57abfadadaf190143d3a7c

Analysis

max time kernel
93s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
Size

1.1MB
MD5

7add28f0756bfd8d80c4ce4c149a31cd
SHA1

835ad3d5de32f9b736364ed045b1a89f700ea3eb
SHA256

09b68f9ce32037ae064faa3a5f05d2ecd5ff41395a57abfadadaf190143d3a7c
SHA512

473b900fa54fa736042cfdae0246cd80031af0a1f953f9dd572ebce47488d292d618ff83094da58be36d6a2b5ecc190e0ddf681deedfc7c2ed5b347a8726955b
SSDEEP

24576:Iq4w/ekieH6wDgpH5IvSV5NQELQ+ObwyZtpLDNr49oKZbH6:Iq4uekieH6wCIW5iEOw+rDNU9oKZba

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	C525.tmp

Executes dropped EXE 2 IoCs

pid	Process
4532	C525.tmp
4968	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C525.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4532	C525.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4968	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
4968	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
4968	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4968	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
4968	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4968	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
4968	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 4532	1344	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe	85
PID 1344 wrote to memory of 4532	1344	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe	85
PID 1344 wrote to memory of 4532	1344	2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe	85
PID 4532 wrote to memory of 4968	4532	C525.tmp	90
PID 4532 wrote to memory of 4968	4532	C525.tmp	90
PID 4532 wrote to memory of 4968	4532	C525.tmp	90

C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\C525.tmp
  "C:\Users\Admin\AppData\Local\Temp\C525.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe 12F0C5E999C4EC4DC9A9709A2FB7071DAEF377316485B29E83F676D7F50A4936AA82765EC20AF2B91EBFA4966182C9C656C28AE1DDC1ED82A843236994403E85
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-09-14_7add28f0756bfd8d80c4ce4c149a31cd_mafia.exe

Filesize
1.9MB

MD5
8ac6cc3997acedbb6c59ed888ecbf886

SHA1
9250b0373cb2831805af992ef3efc133a3b28740

SHA256
a030f30bd86ab71672e2c83dfe61ed3ca83fd3f8d3ca10a5c79dd8c86f1dcf3c

SHA512
0d4c4326f342528df7134c6093f9128205ac663b0202bea4bd6e85421b5e7c2306bc4bcf80c46a97897195bcc8cb20979f95f4188b3a3af45aa3705b09472d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\C525.tmp

Filesize
1.1MB

MD5
1940d8092ff70e23d967f511e0bb18fa

SHA1
18a4b52386252470720f15a29ec3df12c2623d83

SHA256
7e3da8cbfba99894ee1853e53be7fc80f9e97d36d8f16f452e2c3e4940031a8c

SHA512
9fa7ebcc3bafa239f0eff5b8349355a9cc75eec44f4414d0e812a80d225f1826bb60ec8e80bbe8be32497ecc293342180a4f1e195dff73460688cb3d6818f93c

Download Submit