d997a88d25217aa3eaa959b866c718ec09d7a61574007c5959b79af92f5d4a8b

Analysis

max time kernel
93s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe
Size

535KB
MD5

0607843bfee5e04b5e80ed966ad7c2c6
SHA1

f19c1057f4fd2080743c1e1c8b4cad7e774e2e5a
SHA256

d997a88d25217aa3eaa959b866c718ec09d7a61574007c5959b79af92f5d4a8b
SHA512

1799f52f9ffd0dc5e27ad73c1e76a16f13ddb8d88f8c175407aa27c31b5fa42703adc836e5ab5ab4d488382e799ee42ecb4a50474ef2d088062998f2b292f92e
SSDEEP

12288:si4g+yU+0pAiv+9Hn16k88M29fBZoBneraI3xUlvjosTdcG93Dn:si4gXn0pD+dqlEcnm1ulvjRhFJ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	9F5D.tmp

Executes dropped EXE 2 IoCs

pid	Process
4572	9F5D.tmp
4480	2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9F5D.tmp

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4572	9F5D.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4572	2796	2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe	83
PID 2796 wrote to memory of 4572	2796	2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe	83
PID 2796 wrote to memory of 4572	2796	2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe	83
PID 4572 wrote to memory of 4480	4572	9F5D.tmp	88
PID 4572 wrote to memory of 4480	4572	9F5D.tmp	88
PID 4572 wrote to memory of 4480	4572	9F5D.tmp	88

C:\Users\Admin\AppData\Local\Temp\2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\9F5D.tmp
  "C:\Users\Admin\AppData\Local\Temp\9F5D.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe E2C3ADF06267E853704426FC6147FD628B53A1AD0BE0D0135D3DB6101F0D38AF136A04445A9B908111E9B3973E946B5ADB2B12FE70CA366F1167B9BF4DDFD343
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe"
    3⤵
    - Executes dropped EXE
    PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-10-13_0607843bfee5e04b5e80ed966ad7c2c6_mafia.exe

Filesize
255KB

MD5
b7fd76103054f562a11ce616d50a0611

SHA1
7473656e5a33b9ecc401985f917f65054bcbd16c

SHA256
aba5c0bff0442597ff8743b4fe7d28de945b78be01eb88fc4a95cadd1fbee409

SHA512
2a2996476dbfdcd50c39c08dc91a179eff4f016013707c9c0972c6e7a0e179b9da4fcff5e2d4d4883a31312bfefdb9a88d1490e1baaa4728a516c5c7f7bdfbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F5D.tmp

Filesize
535KB

MD5
23d124e50a68a7b2be55fe8efcc48d68

SHA1
622e6408bdfd44aaac1f46a39e0e86ba59d10191

SHA256
7d3251fda9b6ac3f7801d9dc5515c82e7d9af29531222c80b40fe92024f69f3c

SHA512
aab428f2bcfd11a65093b178df158d1a709ab93705ad3167ac7e0c302dc922da6077efb496504150b387289998cf157dd7e3ae30ad4dfe8737781b64e01ebade

Download Submit