2d90fb1115c189142569e8682ca11300b21d7b6b62442cd9ee779a2ff91d0d4d

General

Target

2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe
Size

467KB
MD5

418f53cb7d4aefd0290c08b2dd1f9bc1
SHA1

ec00131e1f76b1caa327a495392e572dc5ed9a47
SHA256

2d90fb1115c189142569e8682ca11300b21d7b6b62442cd9ee779a2ff91d0d4d
SHA512

02ce19516c1c7ab3cda79aa13d7f393de352300c02afd24d2e4868dbf13677fe3cea5276b5c071fbc818002e9a4ae92fc582c6f4bb058f7d5b2e6dbf731382c8
SSDEEP

12288:Bb4bZudi79L+45Pq1sC+XbniUw9z6egTjDq3fAk:Bb4bcdkL+aqH+X7wHG8P

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	202E.tmp

Loads dropped DLL 1 IoCs

pid	Process
1120	2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2760	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2468	202E.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2760	WINWORD.EXE
2760	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2468	1120	2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe	29
PID 1120 wrote to memory of 2468	1120	2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe	29
PID 1120 wrote to memory of 2468	1120	2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe	29
PID 1120 wrote to memory of 2468	1120	2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe	29
PID 2468 wrote to memory of 2760	2468	202E.tmp	30
PID 2468 wrote to memory of 2760	2468	202E.tmp	30
PID 2468 wrote to memory of 2760	2468	202E.tmp	30
PID 2468 wrote to memory of 2760	2468	202E.tmp	30
PID 2760 wrote to memory of 2624	2760	WINWORD.EXE	32
PID 2760 wrote to memory of 2624	2760	WINWORD.EXE	32
PID 2760 wrote to memory of 2624	2760	WINWORD.EXE	32
PID 2760 wrote to memory of 2624	2760	WINWORD.EXE	32

C:\Users\Admin\AppData\Local\Temp\2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\202E.tmp
  "C:\Users\Admin\AppData\Local\Temp\202E.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.exe F4B0153D6CABFEADCD039B4E0571CA7F3483F4EC27DAA5675A5D34C5B925499AB777146F08523205E942E168EAFB5E13469BCD5969B5A008BB29A1E8AD566D4F
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-10-09_418f53cb7d4aefd0290c08b2dd1f9bc1_mafia.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\202E.tmp

Filesize
467KB

MD5
d84db7e205bf75988231d91714a619a0

SHA1
520a12c657dee3cfa882a330a88b775eb96519f7

SHA256
3ec3f404cefc76b580b73e6141856ed05ce9444a223144bd9c61f57586048154

SHA512
739a6b79a83cc6e25e9221bd16c59708b6ac86129c0fe4f51601be1f59e6ffc3628a1dd0626b303d06658fb19e88cad7fceca610d97c1e7c9206d5ef6f530b9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2760-7-0x000000002F261000-0x000000002F262000-memory.dmp

Filesize
4KB

Download
memory/2760-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2760-9-0x0000000070BED000-0x0000000070BF8000-memory.dmp

Filesize
44KB

Download
memory/2760-19-0x0000000070BED000-0x0000000070BF8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing