60720a032222d5089f5a0f2f1ccee04bd6652262d22946f911da95dd8f61491e

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe
Size

486KB
MD5

3bfaa28310d5e92817c95d838ab90640
SHA1

3086272a1dc431536c241d21bf5ae2fbfe9f8620
SHA256

60720a032222d5089f5a0f2f1ccee04bd6652262d22946f911da95dd8f61491e
SHA512

387523f92a3df358d5ad777c76580471758d3686aae280ed44d2897249f97bda24282178fe6b93227dc1d408603e9fe384b865183e0efb586b7369e42128c970
SSDEEP

12288:3O4rfItL8HPRCaFzWpTtx15BzB3BLu97rKxUYXhW:3O4rQtGPAaFzWpTtxvBVBi93KxUYXhW

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
600	A8EC.tmp

Executes dropped EXE 1 IoCs

pid	Process
600	A8EC.tmp

Loads dropped DLL 1 IoCs

pid	Process
2332	2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A8EC.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 600	2332	2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe	31
PID 2332 wrote to memory of 600	2332	2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe	31
PID 2332 wrote to memory of 600	2332	2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe	31
PID 2332 wrote to memory of 600	2332	2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\A8EC.tmp
  "C:\Users\Admin\AppData\Local\Temp\A8EC.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-09-25_3bfaa28310d5e92817c95d838ab90640_mafia.exe 9C5A7BEF652206F29813576F4A9995A701BE5CB9790B8AFB31812EC3A064B97E146DD4AC7EBD03D490A1624BF403214F626825E671330ADEAC93A4D15F1C0A26
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A8EC.tmp

Filesize
486KB

MD5
e2c368d32b35af0d1ac04fae798ef386

SHA1
4ccf024ad402533c8d50c1d818772950386d7ee7

SHA256
e4db96008ac10c0ef132479cab6546b26d5c77033b30b89148e1f0126e2e81e6

SHA512
437b22694952a37f6997d8cdc8dca5ccc2cbd8e4429c44307baa529c29da0d55551871dade8a3b223f37185b6eba7ec03729fe264229b0201b3fa755192b8a36

Download Submit