Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29-06-2024 07:07
General
-
Target
2024-06-29_d62b9c36797da734d233b75dd7650c7a_mafia.exe
-
Size
906KB
-
MD5
d62b9c36797da734d233b75dd7650c7a
-
SHA1
b0298e5039675ec8203bb1ed5a6c99a01317bd2c
-
SHA256
ccc98f7f739f1648862357aa39e9e58732d57a660e9d1459ce631e0006a2b475
-
SHA512
fd541d24b67089224893730b9ccd616eda2296ec4f76800373f76875c7ee3afcc64c4db64b0ea62f24f72e54b3b79aad69486317a7a8e178e2c426f88f9a1165
-
SSDEEP
12288:MUHzKufgk0IpzpXxsPsM+80/9OCOaVLR7g1xGkgBaFSkYu8DU0OYhLu0O49gY4B:HHVfSIpzpBsGACO0LRs1kk6i6uKVOu4B
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 32 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-29_d62b9c36797da734d233b75dd7650c7a_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-29_d62b9c36797da734d233b75dd7650c7a_mafia.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\minidownload.exeC:\Users\Admin\AppData\Local\Temp\\minidownload.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe"C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exe" /Install?status=true&softurl=http%3A%2F%2Fxiazai.sogou.com%2Fcomm%2Fredir%3Fsoftdown%3D1%26u%3DYRyEVuHeM45mBjjEUSPVUEJm8GF_McJfVdEjKPrgnocp6RPTnPFSKls2-N19zn1VjXknGW_sVMj8JS047p8djFgXJ8-dW6ZyJd2HMCZpOTvLIGNafI07QZpggfaFdLzRilLVZzhV53fF-ago-P3fECJIPRI-Fuc_AxfASetSfW-EYQCUJeVxeIydvbHLzdU58fq_yhqpAu2Q2Xc7f-Wt_N3bCf2EGP9pBffZPO5iNkbpFl1bNxXWeA..%26pcid%3D-6553774625093794549%26filename%3Ddjyx_415_1395300620_djyx_415_2014-3-20_VIPDL_signed.exe&iconurl=http%3A%2F%2Fpc3.gtimg.com%2Fsoftmgr%2Flogo%2F48%2F13717_48_1396515520.png&softname=%E6%B0%91%E5%9B%BD%E6%95%99%E8%82%B2%E5%A7%94%E5%91%98%E4%BC%9A&softsize=3.33MB2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe"C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exe" "dump202406290707"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SogouDownLoad\DownLoadDlg.exeFilesize
795KB
MD51a21e9b1435c06e562a1c6a2e92a82d6
SHA160457394473cb75fca7d3fe5069231e82c84a4e6
SHA25635e9bfc9e668511572a1e41f9421b5bd931e1b66a0562789453690f306a9af8e
SHA512d4336ddc4969c19078c0b06ae799a9062c571de12f471cdc6fcc8f9d27e3f8aebe75a0de47eaf7f719c3a58f69d40f7c28a964ab88cd9ef2b566c73e0e9f3eff
-
C:\Program Files (x86)\SogouDownLoad\crash\ExceptionReport.exeFilesize
111KB
MD5ba7121a86dbffafc97e1b8c11c17e199
SHA1922e584be46621e0ab57d3bb47b7c5dee8230ea8
SHA2560bc616a788f782a37b8fb0134ffabdd8a2988205a125b2f400c3deb43e2a8971
SHA51222641abfa34f8ed5c24375b221b6cae935fadffb4b1cf9f8c452658538dd4af459ec7e6a95d05fb7b3aa0fcb4bd195fa18d6fe787ece282fa5c5a8187da76197
-
C:\Program Files (x86)\SogouDownLoad\html\config.iniFilesize
116B
MD5ffa1443199298e2c4ff1122f1ae14b05
SHA196175a64c1f8ba142aa057e8f76e13467ecefb82
SHA2562d21ddb94831d5345bbfbe52ecd342067cf49c6eaf8c78057e1901b6c69c6574
SHA5123955846ed694c43d2d9857168e1c3fee9714ecea70c0af04b1db6d7be5b4805b92730d74bc4a74ed5464c47e4af558b8d040d0efc8ec276fcb8c50c346fe61de
-
C:\Program Files (x86)\SogouDownLoad\html\css\downloader.cssFilesize
7KB
MD50079cdb145c388c3e4c5e2235ac97bce
SHA17a8fee29992183dd572c52a1f6ca24219f4d8cba
SHA256f4890eb5df2bb1b2921c0e561388780b4e2871998ca5aa7f4ec8bbf6ea1a715c
SHA5127387d097152a49f8c57db203d89f64f6d2f905b60f69fa90d26ee3ebcab6428865e745fca63600c724c296db85d299502b4133cacd4b7dbcd4653712a82caa46
-
C:\Program Files (x86)\SogouDownLoad\html\download.htmlFilesize
7KB
MD5382c18d88309c186f501dc3d31876461
SHA11c602b521deec4e2826e9280fed7e586351282c4
SHA25667293d69f293e3347dd6eaabf19b84d3bba0fbc00fcc19d79be354da3f105687
SHA512f82ba3616734551eef1239203cc09531280f1c9118edc1f1218c18247c13dc3455e7d783f440a919a1df47922d33ed8526deabd979fe4d12e6cef2a5707c045d
-
C:\Program Files (x86)\SogouDownLoad\html\images\img_exe.gifFilesize
657B
MD50e0ac8352cd69f396f271fa32f3ab554
SHA1ed6d306a5033707f45477df3318a53d15b47cf43
SHA256c2c34d6bf4e17b756954e409dc9b5663169d68997abd722ce1e86473b769f10c
SHA5125d2528489c21600f16f04559500be3ebe9db5a1dc7bf9abc9c1312187b4b8b7bc5966f9eb2a38e26bff26c854a6d964fa156641fed9501cf0e7befedb60fd7e0
-
C:\Program Files (x86)\SogouDownLoad\html\js\actions.jsFilesize
8KB
MD53b4a5f925a08bd18b636880b8d557077
SHA173ed8c3697681e7999bae4fdcc62867b263182ce
SHA25648b8718ba8de855d6c937b23eb7ccc4f5482e6619de9261324c12a48ae6769dc
SHA512aa5ffd3040a6eb964ed7c70d138e3201989f78551610e22585077fa86bff58740500d6309c339a2dded56481d04f7416ca97b22548fde4661f7da39c9600644b
-
C:\Program Files (x86)\SogouDownLoad\html\js\jquery-1.11.2.min.jsFilesize
93KB
MD55790ead7ad3ba27397aedfa3d263b867
SHA18130544c215fe5d1ec081d83461bf4a711e74882
SHA2562ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0
SHA512781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a
-
C:\Program Files (x86)\SogouDownLoad\html\js\swfobject.jsFilesize
10KB
MD5631f38cfac458788af482eba736e5ac3
SHA1b1d09def39ec74eff2c9e0aafe0a7c12e7650150
SHA25613e6cf03cdd65a8174cce7b0cb40c9821d2aff04a79c3374e8664fb0abb5694d
SHA5123ae47c895cd586b1dca8bdf65c58bc896b27837881cc42bb7b3d55c9a71ea9e857939a69c5146b445b64714996393d1ec9c0d95b18d18fd5cb48f02bb8a53f42
-
C:\Users\Admin\AppData\Local\Temp\CRASH.DMPFilesize
109KB
MD594a1ff4740c4ce268eab1b513b7f3315
SHA186227f4fccbbd686eacf99e9cfc6bba1a9eb599d
SHA2562f8a3a9d0361498174701733d73700e592ac14576c1cb3b0287eff1160d78476
SHA5122c4550178669f217fce0c6fca31e5fcb0201293adcb18ce32509616db323a45a1ff1676b6f1b7547ebad7b2a964d3358ea8e7f3163ec51f42e23f29799da215d
-
C:\Users\Admin\AppData\Local\Temp\ERRORLOG.TXTFilesize
25KB
MD5059d409de5210c207a3a937099143788
SHA124d1f20916598cc8816bd8163784fbb4ff8aac9c
SHA25619fe3adea017608a3f15a0c15924f779c7241574bccf20d5cae4bd3bd1f4cf4c
SHA512cd47bdcfc75f0e21e0d22b209aadaf89bc64fca933d03cee47a14831dfe1b25c1623dcf77bbec9d8adac6e5b7650c93315357119ca4ca7d707ece7f5fbc6d626
-
C:\Users\Admin\AppData\Local\Temp\minidownload.exeFilesize
499KB
MD592611a7ef872df59c53eab1e76855a9d
SHA141351edd9c7a5587a2ba7793131205a8bc3896e8
SHA256b655815e0b129134ccebd00f44eb87f85e72eb37a1879509e90f539dda4600cc
SHA5121b07e6ef576751ee20e4d2c43031aa4d668b8dd3f58dd403db56fb9cce39c4c8646cb2c0268596c3df67f7fbbddefc017e5205f8f27612fb269caffa52536f0b
-
memory/3404-45-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
