Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

58dae094ae...JC.exe

windows7-x64

7

58dae094ae...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2023, 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58dae094aea0371bf580bf9471d016d4_mafia_nionspy_JC.exe

  • Size

    327KB

  • MD5

    58dae094aea0371bf580bf9471d016d4

  • SHA1

    daa27c0b9f046cac532dc6b2ae613e5139f61162

  • SHA256

    6fcb00c6b7e839e0a1bb00f33f621fcd1ae70d0dfaa2421c767c35105aaa30de

  • SHA512

    2e708da76bd0ee3448b1fb9fcf82264d8120bfecfd815c269f32188642e558f7a49413c40eeb6e4264a5425e54e6d4d67444e8c68ee2b68681ad1b8fa60c98c8

  • SSDEEP

    6144:I2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:I2TFafJiHCWBWPMjVWrXK0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58dae094aea0371bf580bf9471d016d4_mafia_nionspy_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\58dae094aea0371bf580bf9471d016d4_mafia_nionspy_JC.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
        3⤵
        • Executes dropped EXE
        PID:1916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
    Filesize

    327KB

    MD5

    9c28a243ee519be4322d0f46bd43d26f

    SHA1

    d4cadf34975355e81fffeaa442553a9ababc7018

    SHA256

    466d4275fd01d57bacf978ab5c6be3f46cc3c238cb47f4d0e68d40428db214a0

    SHA512

    8c075129615c6d5dada41bd83eb2cb92cb3306eb68cc5cfc7e4818a7f98bccaae2228da32eca83df825db1f39fd6040af698eedb342bf7e48293caabe53deccb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
    Filesize

    327KB

    MD5

    9c28a243ee519be4322d0f46bd43d26f

    SHA1

    d4cadf34975355e81fffeaa442553a9ababc7018

    SHA256

    466d4275fd01d57bacf978ab5c6be3f46cc3c238cb47f4d0e68d40428db214a0

    SHA512

    8c075129615c6d5dada41bd83eb2cb92cb3306eb68cc5cfc7e4818a7f98bccaae2228da32eca83df825db1f39fd6040af698eedb342bf7e48293caabe53deccb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
    Filesize

    327KB

    MD5

    9c28a243ee519be4322d0f46bd43d26f

    SHA1

    d4cadf34975355e81fffeaa442553a9ababc7018

    SHA256

    466d4275fd01d57bacf978ab5c6be3f46cc3c238cb47f4d0e68d40428db214a0

    SHA512

    8c075129615c6d5dada41bd83eb2cb92cb3306eb68cc5cfc7e4818a7f98bccaae2228da32eca83df825db1f39fd6040af698eedb342bf7e48293caabe53deccb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
    Filesize

    327KB

    MD5

    9c28a243ee519be4322d0f46bd43d26f

    SHA1

    d4cadf34975355e81fffeaa442553a9ababc7018

    SHA256

    466d4275fd01d57bacf978ab5c6be3f46cc3c238cb47f4d0e68d40428db214a0

    SHA512

    8c075129615c6d5dada41bd83eb2cb92cb3306eb68cc5cfc7e4818a7f98bccaae2228da32eca83df825db1f39fd6040af698eedb342bf7e48293caabe53deccb

    Download Submit