Analysis
-
max time kernel
135s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 20:41
Behavioral task
behavioral1
Sample
2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
General
-
Target
2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe
-
Size
672KB
-
MD5
93809be4e500789f082a2ecd330bde8b
-
SHA1
75e0aae3a939f29e862220b088646d10414d7e12
-
SHA256
1f7f2749b7b5c96734f5d6186c9be94a3a3cbc4472eaa1630e4e26932d0c0ba0
-
SHA512
d05dd4090b2a10e77ba3a1cf1c41754d10e297764c4289f8e4e89fccbe1b1e1f2215aacef861a1b632a2fb25e915984f5f96714a0e80ee2f35ff9cdd6c5dff42
-
SSDEEP
12288:FTNjEc3PR8R0ZdAscJ9AMUxGi3oUw/cnuXMx2JOVawyu6GPr96/zSb9R3/R9maTg:hNjE2PRhgx3AHf3odEuXMx2JOVKuJPrs
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules 2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{50BDE0CF-E37A-4593-A1D7-8BAC9A913096} = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe|Name=2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia|" 2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules 2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{50BDE0CF-E37A-4593-A1D7-8BAC9A913096} = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe|Name=2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia|" 2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3428 2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe 3428 2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-20_93809be4e500789f082a2ecd330bde8b_mafia.exe"1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3428
Network
-
Remote address:8.8.8.8:53Requestws.xcodelib.netIN AResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestws.xcodelib.netIN AResponse
-
Remote address:8.8.8.8:53Requestws.xcodelib.netIN AResponse
-
Remote address:8.8.8.8:53Requestws.xcodelib.netIN AResponse
-
Remote address:8.8.8.8:53Requestws.xcodelib.netIN AResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestws.xcodelib.netIN AResponse
-
Remote address:8.8.8.8:53Requestws.xcodelib.netIN AResponse
-
Remote address:8.8.8.8:53Requestws.xcodelib.netIN AResponse
-
Remote address:8.8.8.8:53Requestws.xcodelib.netIN AResponse
-
Remote address:8.8.8.8:53Request104.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388215_16IMSQNWG15X43RXM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388215_16IMSQNWG15X43RXM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 437546
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 16057A2D4F024930BB063E0EA418B605 Ref B: LON601060104034 Ref C: 2024-10-20T20:43:16Z
date: Sun, 20 Oct 2024 20:43:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629741_1IOH1H6D1NJ8OMST7&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239398629741_1IOH1H6D1NJ8OMST7&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 592830
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D09626C6BDEF4CF085C29E7A1B5AE8D7 Ref B: LON601060104034 Ref C: 2024-10-20T20:43:16Z
date: Sun, 20 Oct 2024 20:43:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 495498
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1F4E33666634433EB65610A5A8436486 Ref B: LON601060104034 Ref C: 2024-10-20T20:43:16Z
date: Sun, 20 Oct 2024 20:43:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629742_1P7YH795LJPRHWP9N&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239398629742_1P7YH795LJPRHWP9N&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 500116
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D2B039375D8842088525AEA6BA4EC0AC Ref B: LON601060104034 Ref C: 2024-10-20T20:43:16Z
date: Sun, 20 Oct 2024 20:43:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388214_1UWGHWC2WCGKUMA6H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388214_1UWGHWC2WCGKUMA6H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 647849
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 703E5D7E96774A0F841A8C3F88B53B6E Ref B: LON601060104034 Ref C: 2024-10-20T20:43:16Z
date: Sun, 20 Oct 2024 20:43:15 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 525311
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8C01C5678393401AAEA95C9AA0BD9BF2 Ref B: LON601060104034 Ref C: 2024-10-20T20:43:16Z
date: Sun, 20 Oct 2024 20:43:15 GMT
-
Remote address:8.8.8.8:53Request138.201.86.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2132.7kB 3.3MB 2404 2397
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388215_16IMSQNWG15X43RXM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629741_1IOH1H6D1NJ8OMST7&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629742_1P7YH795LJPRHWP9N&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388214_1UWGHWC2WCGKUMA6H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
61 B 135 B 1 1
DNS Request
ws.xcodelib.net
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
61 B 135 B 1 1
DNS Request
ws.xcodelib.net
-
61 B 135 B 1 1
DNS Request
ws.xcodelib.net
-
61 B 135 B 1 1
DNS Request
ws.xcodelib.net
-
61 B 135 B 1 1
DNS Request
ws.xcodelib.net
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
61 B 135 B 1 1
DNS Request
ws.xcodelib.net
-
61 B 135 B 1 1
DNS Request
ws.xcodelib.net
-
61 B 135 B 1 1
DNS Request
ws.xcodelib.net
-
61 B 135 B 1 1
DNS Request
ws.xcodelib.net
-
73 B 133 B 1 1
DNS Request
104.209.201.84.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
138.201.86.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa