e3e552e3364a9d0c2ab3eda14ffc6d4cccb1ee4f56065255a3c9feb58033fb50

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe
Size

444KB
MD5

b9b2befed42d2cd9d340df824f7e9b1a
SHA1

1a3a708025e216fb92011c82d0b681a96a5c71ce
SHA256

e3e552e3364a9d0c2ab3eda14ffc6d4cccb1ee4f56065255a3c9feb58033fb50
SHA512

fe374a0e2935f64ee27611f9e7b044e1f6c1ebbcdd119c98cbf9418e88243bc4329eaea5b372160935d754b1454a49022f57535118b057583580ada5d3530159
SSDEEP

12288:Nb4bZudi79LeEb5Dm4TJywws48gQHbh7OEWxyA:Nb4bcdkLeEb5Dmcok48gQHbhlWx

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2352	AE0B.tmp

Executes dropped EXE 1 IoCs

pid	Process
2352	AE0B.tmp

Loads dropped DLL 1 IoCs

pid	Process
2384	2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AE0B.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2352	2384	2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe	30
PID 2384 wrote to memory of 2352	2384	2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe	30
PID 2384 wrote to memory of 2352	2384	2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe	30
PID 2384 wrote to memory of 2352	2384	2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\AE0B.tmp
  "C:\Users\Admin\AppData\Local\Temp\AE0B.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-10-03_b9b2befed42d2cd9d340df824f7e9b1a_mafia.exe 29E04608EEDE69396D3F2002C4D632521D83688D37D6E62AD98E562A8EA9EC9FE417564040A23277B4BDEC7E3B21F28F733BBA8568900662D2720DA501FA1169
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AE0B.tmp

Filesize
444KB

MD5
13f43026810665ddeb972c718cc963b7

SHA1
13b794b8115eef02509800b540a33e3eb7810f13

SHA256
120380ff6e892db628875d41b8bf36d69739cbd70bd9afffab7018c3e1bc957c

SHA512
6d89a68d2a4e1053a24bb9ba971ffdf6960af4b485cdf275c126deabf93b17037f6896055c6dd4cf2742dcf6de088ad8b0c67df85f61c74d5251bd53c186f536

Download Submit