5f52d96f5b5ec406b3b779352bcd49aa39d8c25e563d216b25e030d327f5ec61

General

Target

2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe
Size

465KB
MD5

585866178e4b537e8ab651649e739bad
SHA1

a115f51bbf6204b044d43e5029a954fdb4598660
SHA256

5f52d96f5b5ec406b3b779352bcd49aa39d8c25e563d216b25e030d327f5ec61
SHA512

7b6d729180eaf773ad40f867880c1a1c70bae81c1ee9954022092e9c4d5f43f946920ab026c3d9422f91bb87fa2191de4d9a544f0e438ec7a240ce1b6588bbbe
SSDEEP

12288:Bb4bZudi79LrAozAr+FYvP017NwyO2c5oAx:Bb4bcdkLXQv05Cac5/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2716	423E.tmp

Loads dropped DLL 1 IoCs

pid	Process
2176	2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	423E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2728	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2716	423E.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2728	WINWORD.EXE
2728	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2716	2176	2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe	30
PID 2176 wrote to memory of 2716	2176	2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe	30
PID 2176 wrote to memory of 2716	2176	2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe	30
PID 2176 wrote to memory of 2716	2176	2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe	30
PID 2716 wrote to memory of 2728	2716	423E.tmp	31
PID 2716 wrote to memory of 2728	2716	423E.tmp	31
PID 2716 wrote to memory of 2728	2716	423E.tmp	31
PID 2716 wrote to memory of 2728	2716	423E.tmp	31
PID 2728 wrote to memory of 2620	2728	WINWORD.EXE	33
PID 2728 wrote to memory of 2620	2728	WINWORD.EXE	33
PID 2728 wrote to memory of 2620	2728	WINWORD.EXE	33
PID 2728 wrote to memory of 2620	2728	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\423E.tmp
  "C:\Users\Admin\AppData\Local\Temp\423E.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-11-30_585866178e4b537e8ab651649e739bad_mafia.exe C5538FA5020FC16033C6E932BA5E28EF663BCEBD54ABD7EEC72EF5CF609C945884719413B2341FF879C87373BD35453E1BD77EA3E505900CA7586FA4C6AC3AAE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2024-11-30_585866178e4b537e8ab651649e739bad_mafia.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-11-30_585866178e4b537e8ab651649e739bad_mafia.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\423E.tmp

Filesize
465KB

MD5
676eee3c2628a87455ba271990f9cfb4

SHA1
2cba71d620308ced871e1969179f3207418a867f

SHA256
b7f95e77383c7c311f87d9aa32b0cd6f00f4fd43348cab8ac8d900fe017c9757

SHA512
5d04acd259836a3acc09de6100a93e66ddda663bc91ff50cd7ddc98997a10bc5d13d980e2656fa5fb6323a166598ce6b1d5684c8abdebda0a6ea62c9822d060b

Download Submit
memory/2728-7-0x000000002F481000-0x000000002F482000-memory.dmp

Filesize
4KB

Download
memory/2728-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2728-9-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/2728-26-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing