Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27/09/2024, 01:26
General
-
Target
2024-09-27_6473cf7a7cc21c5903edd5e15c14cf53_mafia.exe
-
Size
487KB
-
MD5
6473cf7a7cc21c5903edd5e15c14cf53
-
SHA1
141ab4e9ba86bd469882ea0e4e94ceb4ddcbd198
-
SHA256
68768e7d92204d048481a75c26689f9e1dda2a51e353868ac73d53349e00ee30
-
SHA512
416d316e53234436a2da1bfd6a3208b24f92fbc790ccf32a9fb1776ebb03cfddd6678a3dffaad591a34be2340d015e0e5609781713d0202ebe6988359a2c8e67
-
SSDEEP
12288:HU5rCOTeiJhMgQk9KVeZa1/sjbXtKfI8NZ:HUQOJJ9Pa10GLN
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_6473cf7a7cc21c5903edd5e15c14cf53_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-27_6473cf7a7cc21c5903edd5e15c14cf53_mafia.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7FBA.tmp"C:\Users\Admin\AppData\Local\Temp\7FBA.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8028.tmp"C:\Users\Admin\AppData\Local\Temp\8028.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8095.tmp"C:\Users\Admin\AppData\Local\Temp\8095.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8112.tmp"C:\Users\Admin\AppData\Local\Temp\8112.tmp"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\81AE.tmp"C:\Users\Admin\AppData\Local\Temp\81AE.tmp"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\822B.tmp"C:\Users\Admin\AppData\Local\Temp\822B.tmp"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\82C7.tmp"C:\Users\Admin\AppData\Local\Temp\82C7.tmp"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8316.tmp"C:\Users\Admin\AppData\Local\Temp\8316.tmp"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8393.tmp"C:\Users\Admin\AppData\Local\Temp\8393.tmp"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\843E.tmp"C:\Users\Admin\AppData\Local\Temp\843E.tmp"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\849C.tmp"C:\Users\Admin\AppData\Local\Temp\849C.tmp"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8519.tmp"C:\Users\Admin\AppData\Local\Temp\8519.tmp"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8577.tmp"C:\Users\Admin\AppData\Local\Temp\8577.tmp"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8604.tmp"C:\Users\Admin\AppData\Local\Temp\8604.tmp"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\86A0.tmp"C:\Users\Admin\AppData\Local\Temp\86A0.tmp"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\871D.tmp"C:\Users\Admin\AppData\Local\Temp\871D.tmp"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\879A.tmp"C:\Users\Admin\AppData\Local\Temp\879A.tmp"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8817.tmp"C:\Users\Admin\AppData\Local\Temp\8817.tmp"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8875.tmp"C:\Users\Admin\AppData\Local\Temp\8875.tmp"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8901.tmp"C:\Users\Admin\AppData\Local\Temp\8901.tmp"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\898E.tmp"C:\Users\Admin\AppData\Local\Temp\898E.tmp"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8A2A.tmp"C:\Users\Admin\AppData\Local\Temp\8A2A.tmp"23⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8AA7.tmp"C:\Users\Admin\AppData\Local\Temp\8AA7.tmp"24⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8B14.tmp"C:\Users\Admin\AppData\Local\Temp\8B14.tmp"25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8B82.tmp"C:\Users\Admin\AppData\Local\Temp\8B82.tmp"26⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8BEF.tmp"C:\Users\Admin\AppData\Local\Temp\8BEF.tmp"27⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8C5D.tmp"C:\Users\Admin\AppData\Local\Temp\8C5D.tmp"28⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8CF9.tmp"C:\Users\Admin\AppData\Local\Temp\8CF9.tmp"29⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8D66.tmp"C:\Users\Admin\AppData\Local\Temp\8D66.tmp"30⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8DD4.tmp"C:\Users\Admin\AppData\Local\Temp\8DD4.tmp"31⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8E51.tmp"C:\Users\Admin\AppData\Local\Temp\8E51.tmp"32⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8EDD.tmp"C:\Users\Admin\AppData\Local\Temp\8EDD.tmp"33⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8F4B.tmp"C:\Users\Admin\AppData\Local\Temp\8F4B.tmp"34⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8FA8.tmp"C:\Users\Admin\AppData\Local\Temp\8FA8.tmp"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\8FF6.tmp"C:\Users\Admin\AppData\Local\Temp\8FF6.tmp"36⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9054.tmp"C:\Users\Admin\AppData\Local\Temp\9054.tmp"37⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\90A2.tmp"C:\Users\Admin\AppData\Local\Temp\90A2.tmp"38⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9100.tmp"C:\Users\Admin\AppData\Local\Temp\9100.tmp"39⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\914E.tmp"C:\Users\Admin\AppData\Local\Temp\914E.tmp"40⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\91AC.tmp"C:\Users\Admin\AppData\Local\Temp\91AC.tmp"41⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\920A.tmp"C:\Users\Admin\AppData\Local\Temp\920A.tmp"42⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9258.tmp"C:\Users\Admin\AppData\Local\Temp\9258.tmp"43⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\92A6.tmp"C:\Users\Admin\AppData\Local\Temp\92A6.tmp"44⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9304.tmp"C:\Users\Admin\AppData\Local\Temp\9304.tmp"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\9381.tmp"C:\Users\Admin\AppData\Local\Temp\9381.tmp"46⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\93CF.tmp"C:\Users\Admin\AppData\Local\Temp\93CF.tmp"47⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\942D.tmp"C:\Users\Admin\AppData\Local\Temp\942D.tmp"48⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\947B.tmp"C:\Users\Admin\AppData\Local\Temp\947B.tmp"49⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\94C9.tmp"C:\Users\Admin\AppData\Local\Temp\94C9.tmp"50⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9536.tmp"C:\Users\Admin\AppData\Local\Temp\9536.tmp"51⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9594.tmp"C:\Users\Admin\AppData\Local\Temp\9594.tmp"52⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9601.tmp"C:\Users\Admin\AppData\Local\Temp\9601.tmp"53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\965F.tmp"C:\Users\Admin\AppData\Local\Temp\965F.tmp"54⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\96BD.tmp"C:\Users\Admin\AppData\Local\Temp\96BD.tmp"55⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\972A.tmp"C:\Users\Admin\AppData\Local\Temp\972A.tmp"56⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9778.tmp"C:\Users\Admin\AppData\Local\Temp\9778.tmp"57⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\97D6.tmp"C:\Users\Admin\AppData\Local\Temp\97D6.tmp"58⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9834.tmp"C:\Users\Admin\AppData\Local\Temp\9834.tmp"59⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9892.tmp"C:\Users\Admin\AppData\Local\Temp\9892.tmp"60⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\98E0.tmp"C:\Users\Admin\AppData\Local\Temp\98E0.tmp"61⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\993D.tmp"C:\Users\Admin\AppData\Local\Temp\993D.tmp"62⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\999B.tmp"C:\Users\Admin\AppData\Local\Temp\999B.tmp"63⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\99E9.tmp"C:\Users\Admin\AppData\Local\Temp\99E9.tmp"64⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9A37.tmp"C:\Users\Admin\AppData\Local\Temp\9A37.tmp"65⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9A86.tmp"C:\Users\Admin\AppData\Local\Temp\9A86.tmp"66⤵
-
C:\Users\Admin\AppData\Local\Temp\9AE3.tmp"C:\Users\Admin\AppData\Local\Temp\9AE3.tmp"67⤵
-
C:\Users\Admin\AppData\Local\Temp\9B41.tmp"C:\Users\Admin\AppData\Local\Temp\9B41.tmp"68⤵
-
C:\Users\Admin\AppData\Local\Temp\9B8F.tmp"C:\Users\Admin\AppData\Local\Temp\9B8F.tmp"69⤵
-
C:\Users\Admin\AppData\Local\Temp\9BED.tmp"C:\Users\Admin\AppData\Local\Temp\9BED.tmp"70⤵
-
C:\Users\Admin\AppData\Local\Temp\9C4B.tmp"C:\Users\Admin\AppData\Local\Temp\9C4B.tmp"71⤵
-
C:\Users\Admin\AppData\Local\Temp\9CA8.tmp"C:\Users\Admin\AppData\Local\Temp\9CA8.tmp"72⤵
-
C:\Users\Admin\AppData\Local\Temp\9CF7.tmp"C:\Users\Admin\AppData\Local\Temp\9CF7.tmp"73⤵
-
C:\Users\Admin\AppData\Local\Temp\9D54.tmp"C:\Users\Admin\AppData\Local\Temp\9D54.tmp"74⤵
-
C:\Users\Admin\AppData\Local\Temp\9DB2.tmp"C:\Users\Admin\AppData\Local\Temp\9DB2.tmp"75⤵
-
C:\Users\Admin\AppData\Local\Temp\9E10.tmp"C:\Users\Admin\AppData\Local\Temp\9E10.tmp"76⤵
-
C:\Users\Admin\AppData\Local\Temp\9E5E.tmp"C:\Users\Admin\AppData\Local\Temp\9E5E.tmp"77⤵
-
C:\Users\Admin\AppData\Local\Temp\9EBC.tmp"C:\Users\Admin\AppData\Local\Temp\9EBC.tmp"78⤵
-
C:\Users\Admin\AppData\Local\Temp\9F19.tmp"C:\Users\Admin\AppData\Local\Temp\9F19.tmp"79⤵
-
C:\Users\Admin\AppData\Local\Temp\9F68.tmp"C:\Users\Admin\AppData\Local\Temp\9F68.tmp"80⤵
-
C:\Users\Admin\AppData\Local\Temp\9FD5.tmp"C:\Users\Admin\AppData\Local\Temp\9FD5.tmp"81⤵
-
C:\Users\Admin\AppData\Local\Temp\A033.tmp"C:\Users\Admin\AppData\Local\Temp\A033.tmp"82⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\A090.tmp"C:\Users\Admin\AppData\Local\Temp\A090.tmp"83⤵
-
C:\Users\Admin\AppData\Local\Temp\A0EE.tmp"C:\Users\Admin\AppData\Local\Temp\A0EE.tmp"84⤵
-
C:\Users\Admin\AppData\Local\Temp\A13C.tmp"C:\Users\Admin\AppData\Local\Temp\A13C.tmp"85⤵
-
C:\Users\Admin\AppData\Local\Temp\A19A.tmp"C:\Users\Admin\AppData\Local\Temp\A19A.tmp"86⤵
-
C:\Users\Admin\AppData\Local\Temp\A1F8.tmp"C:\Users\Admin\AppData\Local\Temp\A1F8.tmp"87⤵
-
C:\Users\Admin\AppData\Local\Temp\A246.tmp"C:\Users\Admin\AppData\Local\Temp\A246.tmp"88⤵
-
C:\Users\Admin\AppData\Local\Temp\A2A4.tmp"C:\Users\Admin\AppData\Local\Temp\A2A4.tmp"89⤵
-
C:\Users\Admin\AppData\Local\Temp\A301.tmp"C:\Users\Admin\AppData\Local\Temp\A301.tmp"90⤵
-
C:\Users\Admin\AppData\Local\Temp\A36F.tmp"C:\Users\Admin\AppData\Local\Temp\A36F.tmp"91⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\A3CD.tmp"C:\Users\Admin\AppData\Local\Temp\A3CD.tmp"92⤵
-
C:\Users\Admin\AppData\Local\Temp\A42A.tmp"C:\Users\Admin\AppData\Local\Temp\A42A.tmp"93⤵
-
C:\Users\Admin\AppData\Local\Temp\A498.tmp"C:\Users\Admin\AppData\Local\Temp\A498.tmp"94⤵
-
C:\Users\Admin\AppData\Local\Temp\A4F5.tmp"C:\Users\Admin\AppData\Local\Temp\A4F5.tmp"95⤵
-
C:\Users\Admin\AppData\Local\Temp\A544.tmp"C:\Users\Admin\AppData\Local\Temp\A544.tmp"96⤵
-
C:\Users\Admin\AppData\Local\Temp\A5A1.tmp"C:\Users\Admin\AppData\Local\Temp\A5A1.tmp"97⤵
-
C:\Users\Admin\AppData\Local\Temp\A5FF.tmp"C:\Users\Admin\AppData\Local\Temp\A5FF.tmp"98⤵
-
C:\Users\Admin\AppData\Local\Temp\A65D.tmp"C:\Users\Admin\AppData\Local\Temp\A65D.tmp"99⤵
-
C:\Users\Admin\AppData\Local\Temp\A6CA.tmp"C:\Users\Admin\AppData\Local\Temp\A6CA.tmp"100⤵
-
C:\Users\Admin\AppData\Local\Temp\A728.tmp"C:\Users\Admin\AppData\Local\Temp\A728.tmp"101⤵
-
C:\Users\Admin\AppData\Local\Temp\A776.tmp"C:\Users\Admin\AppData\Local\Temp\A776.tmp"102⤵
-
C:\Users\Admin\AppData\Local\Temp\A7D4.tmp"C:\Users\Admin\AppData\Local\Temp\A7D4.tmp"103⤵
-
C:\Users\Admin\AppData\Local\Temp\A841.tmp"C:\Users\Admin\AppData\Local\Temp\A841.tmp"104⤵
-
C:\Users\Admin\AppData\Local\Temp\A8AF.tmp"C:\Users\Admin\AppData\Local\Temp\A8AF.tmp"105⤵
-
C:\Users\Admin\AppData\Local\Temp\A90C.tmp"C:\Users\Admin\AppData\Local\Temp\A90C.tmp"106⤵
-
C:\Users\Admin\AppData\Local\Temp\A96A.tmp"C:\Users\Admin\AppData\Local\Temp\A96A.tmp"107⤵
-
C:\Users\Admin\AppData\Local\Temp\A9C8.tmp"C:\Users\Admin\AppData\Local\Temp\A9C8.tmp"108⤵
-
C:\Users\Admin\AppData\Local\Temp\AA26.tmp"C:\Users\Admin\AppData\Local\Temp\AA26.tmp"109⤵
-
C:\Users\Admin\AppData\Local\Temp\AA74.tmp"C:\Users\Admin\AppData\Local\Temp\AA74.tmp"110⤵
-
C:\Users\Admin\AppData\Local\Temp\AAC2.tmp"C:\Users\Admin\AppData\Local\Temp\AAC2.tmp"111⤵
-
C:\Users\Admin\AppData\Local\Temp\AB10.tmp"C:\Users\Admin\AppData\Local\Temp\AB10.tmp"112⤵
-
C:\Users\Admin\AppData\Local\Temp\AB7D.tmp"C:\Users\Admin\AppData\Local\Temp\AB7D.tmp"113⤵
-
C:\Users\Admin\AppData\Local\Temp\ABEB.tmp"C:\Users\Admin\AppData\Local\Temp\ABEB.tmp"114⤵
-
C:\Users\Admin\AppData\Local\Temp\AC48.tmp"C:\Users\Admin\AppData\Local\Temp\AC48.tmp"115⤵
-
C:\Users\Admin\AppData\Local\Temp\ACA6.tmp"C:\Users\Admin\AppData\Local\Temp\ACA6.tmp"116⤵
-
C:\Users\Admin\AppData\Local\Temp\AD04.tmp"C:\Users\Admin\AppData\Local\Temp\AD04.tmp"117⤵
-
C:\Users\Admin\AppData\Local\Temp\AD62.tmp"C:\Users\Admin\AppData\Local\Temp\AD62.tmp"118⤵
-
C:\Users\Admin\AppData\Local\Temp\ADB0.tmp"C:\Users\Admin\AppData\Local\Temp\ADB0.tmp"119⤵
-
C:\Users\Admin\AppData\Local\Temp\AE0E.tmp"C:\Users\Admin\AppData\Local\Temp\AE0E.tmp"120⤵
-
C:\Users\Admin\AppData\Local\Temp\AE6B.tmp"C:\Users\Admin\AppData\Local\Temp\AE6B.tmp"121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-