Analysis Overview
SHA256
b6ebe4e2d87c952e4c13f958564613f4228c41101dbf8606e460c2324790c24e
Threat Level: Shows suspicious behavior
The file 2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:27
Reported
2024-11-10 01:30
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 2072 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 2072 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 2072 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe"
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | koalabaper.com | udp |
| US | 172.67.144.88:80 | koalabaper.com | tcp |
| US | 172.67.144.88:443 | koalabaper.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
C:\HWID.txt
| MD5 | 11d3abde4e7f780c048efa42ba52b10e |
| SHA1 | 51017e632ca1f4f11d9bfb4cfb178c752ae6c09e |
| SHA256 | ef658e5675faa679f339c99897efc6d29c648151fa0d2d50cc7280c1dbd2e57e |
| SHA512 | d73557cf6101d871d2732629bf0d5732fadf5912ed1c154b0207b891c144bcd011651ea59b47bcf8e7b8bd31e7cd09807d460585fe0f9ceb600b4d2169439c82 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:27
Reported
2024-11-10 01:30
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
137s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4820 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 4820 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
| PID 4820 wrote to memory of 1584 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe | C:\Windows\SysWOW64\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_1de7813f43e641f1ecb0d951c5b2c280_mafia.exe"
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\HWID.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | koalabaper.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 172.67.144.88:80 | koalabaper.com | tcp |
| US | 172.67.144.88:443 | koalabaper.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 88.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\HWID.txt
| MD5 | 40388087565db816f4d1762f4b16c5e6 |
| SHA1 | 03fa54ba7b6842f3c923f443b159a9df19074122 |
| SHA256 | 400d80c8fc5e714a23ec99a406ddd609ed529b861df4e584c2231e8ab18dc200 |
| SHA512 | 00ab8ac8829c92033f9b458b8102571191d9c64187ca6d59b0fc78b2cdf5f542388af90476b2291166b1f58feeb0049b963e510e882b930cb044418d945ddb2e |