51373c0c4512109ee8bba8149f5fa371cb944081aaa38108ce6077e4e23da862

General

Target

2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
Size

2.6MB
MD5

3cae4581ac71614638012763dfcc4150
SHA1

c162658b1b792427f6717186c599bb2d1a451289
SHA256

51373c0c4512109ee8bba8149f5fa371cb944081aaa38108ce6077e4e23da862
SHA512

140a1c3e29dcb75dd1695a14cdbfab0e589d3fd7827ac71376490ee289a467ccd0a70de7c72c3035a8b09a8aaf32340fabb915bc92f8eeeca4bcf038f8af40cd
SSDEEP

49152:OTGkQy5QZuTtS0rQMYOQ+q8CE0TG4QnTGHQc9KFeMv:OKkVWsM0r1QnDK4uKHT0Feu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3764	92bc8a48

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	92bc8a48
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_3AF0FDC80EA858911339035786739FF3	92bc8a48
File created	C:\Windows\SysWOW64\92bc8a48	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3660-0-0x00000000009E0000-0x0000000000A69000-memory.dmp	upx
behavioral2/files/0x000900000002345e-2.dat	upx
behavioral2/memory/3764-4-0x00000000008D0000-0x0000000000959000-memory.dmp	upx
behavioral2/memory/3660-16-0x00000000009E0000-0x0000000000A69000-memory.dmp	upx
behavioral2/memory/3764-18-0x00000000008D0000-0x0000000000959000-memory.dmp	upx
behavioral2/memory/3764-22-0x00000000008D0000-0x0000000000959000-memory.dmp	upx
behavioral2/memory/3660-37-0x00000000009E0000-0x0000000000A69000-memory.dmp	upx
behavioral2/memory/3764-38-0x00000000008D0000-0x0000000000959000-memory.dmp	upx
behavioral2/memory/3660-41-0x00000000009E0000-0x0000000000A69000-memory.dmp	upx
behavioral2/memory/3660-43-0x00000000009E0000-0x0000000000A69000-memory.dmp	upx
behavioral2/memory/3764-44-0x00000000008D0000-0x0000000000959000-memory.dmp	upx
behavioral2/memory/3660-49-0x00000000009E0000-0x0000000000A69000-memory.dmp	upx
behavioral2/memory/3660-54-0x00000000009E0000-0x0000000000A69000-memory.dmp	upx
behavioral2/memory/3660-58-0x00000000009E0000-0x0000000000A69000-memory.dmp	upx
behavioral2/memory/3660-61-0x00000000009E0000-0x0000000000A69000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4070e8	92bc8a48
File opened for modification	C:\Windows\3ea918	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92bc8a48

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	92bc8a48
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	92bc8a48
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	92bc8a48
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	92bc8a48
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	92bc8a48
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	92bc8a48
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	92bc8a48
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	92bc8a48
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	92bc8a48

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3764	92bc8a48
3764	92bc8a48
3764	92bc8a48
3764	92bc8a48
3764	92bc8a48
3764	92bc8a48
3764	92bc8a48
3764	92bc8a48
3660	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
3660	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
3660	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
3660	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
3660	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
3660	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
Token: SeTcbPrivilege	3660	2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
Token: SeDebugPrivilege	3764	92bc8a48
Token: SeTcbPrivilege	3764	92bc8a48

C:\Users\Admin\AppData\Local\Temp\2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_3cae4581ac71614638012763dfcc4150_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\Syswow64\92bc8a48
C:\Windows\Syswow64\92bc8a48
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\92bc8a48

Filesize
2.6MB

MD5
bdd441c3b5a3a6792ae546c29a748733

SHA1
6ae7c2d953395ed65bb9a0329c2f0895227d564f

SHA256
e602927e709a1ba371e37cbb8160d5749d85a07ecc8b9a8da24eac16def4a35c

SHA512
75a61987df8767fe267bf3d00becd4524820d93d77a40e9ce200c4b6801f29c34b05ce744253809dca321a0b4f0de0f61e9e249c5e9d0997451bc3112ff1f5fa

Download Submit
memory/3660-37-0x00000000009E0000-0x0000000000A69000-memory.dmp

Filesize
548KB

Download
memory/3660-49-0x00000000009E0000-0x0000000000A69000-memory.dmp

Filesize
548KB

Download
memory/3660-16-0x00000000009E0000-0x0000000000A69000-memory.dmp

Filesize
548KB

Download
memory/3660-61-0x00000000009E0000-0x0000000000A69000-memory.dmp

Filesize
548KB

Download
memory/3660-58-0x00000000009E0000-0x0000000000A69000-memory.dmp

Filesize
548KB

Download
memory/3660-0-0x00000000009E0000-0x0000000000A69000-memory.dmp

Filesize
548KB

Download
memory/3660-54-0x00000000009E0000-0x0000000000A69000-memory.dmp

Filesize
548KB

Download
memory/3660-41-0x00000000009E0000-0x0000000000A69000-memory.dmp

Filesize
548KB

Download
memory/3660-43-0x00000000009E0000-0x0000000000A69000-memory.dmp

Filesize
548KB

Download
memory/3764-44-0x00000000008D0000-0x0000000000959000-memory.dmp

Filesize
548KB

Download
memory/3764-4-0x00000000008D0000-0x0000000000959000-memory.dmp

Filesize
548KB

Download
memory/3764-38-0x00000000008D0000-0x0000000000959000-memory.dmp

Filesize
548KB

Download
memory/3764-22-0x00000000008D0000-0x0000000000959000-memory.dmp

Filesize
548KB

Download
memory/3764-18-0x00000000008D0000-0x0000000000959000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing