Malware Analysis Report

2024-12-01 01:49

Sample ID 241110-bvcrkswjcy
Target 2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia
SHA256 b6ebe4e2d87c952e4c13f958564613f4228c41101dbf8606e460c2324790c24e
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b6ebe4e2d87c952e4c13f958564613f4228c41101dbf8606e460c2324790c24e

Threat Level: Shows suspicious behavior

The file 2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:27

Reported

2024-11-10 01:30

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 koalabaper.com udp
US 172.67.144.88:80 koalabaper.com tcp
US 172.67.144.88:443 koalabaper.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

C:\HWID.txt

MD5 11d3abde4e7f780c048efa42ba52b10e
SHA1 51017e632ca1f4f11d9bfb4cfb178c752ae6c09e
SHA256 ef658e5675faa679f339c99897efc6d29c648151fa0d2d50cc7280c1dbd2e57e
SHA512 d73557cf6101d871d2732629bf0d5732fadf5912ed1c154b0207b891c144bcd011651ea59b47bcf8e7b8bd31e7cd09807d460585fe0f9ceb600b4d2169439c82

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:27

Reported

2024-11-10 01:30

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 koalabaper.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 172.67.144.88:80 koalabaper.com tcp
US 172.67.144.88:443 koalabaper.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 88.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 66.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\HWID.txt

MD5 40388087565db816f4d1762f4b16c5e6
SHA1 03fa54ba7b6842f3c923f443b159a9df19074122
SHA256 400d80c8fc5e714a23ec99a406ddd609ed529b861df4e584c2231e8ab18dc200
SHA512 00ab8ac8829c92033f9b458b8102571191d9c64187ca6d59b0fc78b2cdf5f542388af90476b2291166b1f58feeb0049b963e510e882b930cb044418d945ddb2e