Overview

overview

7

Static

static

3

a9848a08e7...JC.exe

windows7-x64

7

a9848a08e7...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    127s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    27/08/2023, 14:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a9848a08e7d87afa812a284409469b79_mafia_nionspy_JC.exe

  • Size

    328KB

  • MD5

    a9848a08e7d87afa812a284409469b79

  • SHA1

    70f55dab792b86f74e49d2fa4f86c7aebccf9293

  • SHA256

    61d369ee21195549cffcc9df15627ae515727bc58d994424bf88a898b0e3b14b

  • SHA512

    9b183c09cd071442b1c3a7a4fe76f2253f17672c597d12fe0e206544dc365a765194b4a7c61000c9cc6b178fc32dfebe9996ecc734845f6b4acc4d454de409e9

  • SSDEEP

    6144:R2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:R2TFafJiHCWBWPMjVWrXf1v

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9848a08e7d87afa812a284409469b79_mafia_nionspy_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\a9848a08e7d87afa812a284409469b79_mafia_nionspy_JC.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
        3⤵
        • Executes dropped EXE
        PID:1768

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
          Filesize

          328KB

          MD5

          34b84538cc58fcad6e03095253872f34

          SHA1

          30666e17e36f7354a9a3b05b4194d6c7853c443f

          SHA256

          1470a4240fd0fcbe45e33be18da0cdd618a3eefce03e20ba73410a162db6e612

          SHA512

          eaeccabaa755e477a5a67fcd7dcb4272c2bcb6a959adf28d176f6c9875f14a36363e8b2c9f9b96e4e1812f270e3b6fb4c8f78369ce4a47c834cc8d93316e0b4f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
          Filesize

          328KB

          MD5

          34b84538cc58fcad6e03095253872f34

          SHA1

          30666e17e36f7354a9a3b05b4194d6c7853c443f

          SHA256

          1470a4240fd0fcbe45e33be18da0cdd618a3eefce03e20ba73410a162db6e612

          SHA512

          eaeccabaa755e477a5a67fcd7dcb4272c2bcb6a959adf28d176f6c9875f14a36363e8b2c9f9b96e4e1812f270e3b6fb4c8f78369ce4a47c834cc8d93316e0b4f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
          Filesize

          328KB

          MD5

          34b84538cc58fcad6e03095253872f34

          SHA1

          30666e17e36f7354a9a3b05b4194d6c7853c443f

          SHA256

          1470a4240fd0fcbe45e33be18da0cdd618a3eefce03e20ba73410a162db6e612

          SHA512

          eaeccabaa755e477a5a67fcd7dcb4272c2bcb6a959adf28d176f6c9875f14a36363e8b2c9f9b96e4e1812f270e3b6fb4c8f78369ce4a47c834cc8d93316e0b4f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
          Filesize

          328KB

          MD5

          34b84538cc58fcad6e03095253872f34

          SHA1

          30666e17e36f7354a9a3b05b4194d6c7853c443f

          SHA256

          1470a4240fd0fcbe45e33be18da0cdd618a3eefce03e20ba73410a162db6e612

          SHA512

          eaeccabaa755e477a5a67fcd7dcb4272c2bcb6a959adf28d176f6c9875f14a36363e8b2c9f9b96e4e1812f270e3b6fb4c8f78369ce4a47c834cc8d93316e0b4f

          Download Submit

        • \Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
          Filesize

          328KB

          MD5

          34b84538cc58fcad6e03095253872f34

          SHA1

          30666e17e36f7354a9a3b05b4194d6c7853c443f

          SHA256

          1470a4240fd0fcbe45e33be18da0cdd618a3eefce03e20ba73410a162db6e612

          SHA512

          eaeccabaa755e477a5a67fcd7dcb4272c2bcb6a959adf28d176f6c9875f14a36363e8b2c9f9b96e4e1812f270e3b6fb4c8f78369ce4a47c834cc8d93316e0b4f

          Download Submit

        • \Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
          Filesize

          328KB

          MD5

          34b84538cc58fcad6e03095253872f34

          SHA1

          30666e17e36f7354a9a3b05b4194d6c7853c443f

          SHA256

          1470a4240fd0fcbe45e33be18da0cdd618a3eefce03e20ba73410a162db6e612

          SHA512

          eaeccabaa755e477a5a67fcd7dcb4272c2bcb6a959adf28d176f6c9875f14a36363e8b2c9f9b96e4e1812f270e3b6fb4c8f78369ce4a47c834cc8d93316e0b4f

          Download Submit

        • \Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
          Filesize

          328KB

          MD5

          34b84538cc58fcad6e03095253872f34

          SHA1

          30666e17e36f7354a9a3b05b4194d6c7853c443f

          SHA256

          1470a4240fd0fcbe45e33be18da0cdd618a3eefce03e20ba73410a162db6e612

          SHA512

          eaeccabaa755e477a5a67fcd7dcb4272c2bcb6a959adf28d176f6c9875f14a36363e8b2c9f9b96e4e1812f270e3b6fb4c8f78369ce4a47c834cc8d93316e0b4f

          Download Submit