Overview

overview

7

Static

static

3

2023-08-27...JC.exe

windows7-x64

7

2023-08-27...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2023, 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-08-27_4c37ec3072feeb2fc78fe17a177c26d2_mafia_nionspy_JC.exe

  • Size

    288KB

  • MD5

    4c37ec3072feeb2fc78fe17a177c26d2

  • SHA1

    0fd1189488dabd7e1d29ed18c7a42df9fcdd3b1c

  • SHA256

    cd62c6ff30bcd1a46a3548bc02e04061bb4b7a8e6cb5d6426c82a258fd96392b

  • SHA512

    5d785899e75954bddb44f81bc500d8d4591a1644903bde54c112f5e7ef68c3a3c4b750f2ed467ef1a6af6159883cd4dd59f95aa109dab830e5afd59ac993c67b

  • SSDEEP

    6144:GQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:GQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-08-27_4c37ec3072feeb2fc78fe17a177c26d2_mafia_nionspy_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-08-27_4c37ec3072feeb2fc78fe17a177c26d2_mafia_nionspy_JC.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"
        3⤵
        • Executes dropped EXE
        PID:4612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
    Filesize

    288KB

    MD5

    0575b2733904fd45cd162631815278c7

    SHA1

    01801c1702b5eb4e75372b8f2583f3562f48eea5

    SHA256

    24f99c9f43628c7c98931a4dd18374b801ae9c73e25d6c00cdf2575cb6d82eae

    SHA512

    1110342f1398f2ea21c17b6220e75da1a5d797c7b2cb857b91797292d6ef9c8c9540b8747028821f7eb800570886cf9f20f286d838390eb5378173afbfe59e11

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
    Filesize

    288KB

    MD5

    0575b2733904fd45cd162631815278c7

    SHA1

    01801c1702b5eb4e75372b8f2583f3562f48eea5

    SHA256

    24f99c9f43628c7c98931a4dd18374b801ae9c73e25d6c00cdf2575cb6d82eae

    SHA512

    1110342f1398f2ea21c17b6220e75da1a5d797c7b2cb857b91797292d6ef9c8c9540b8747028821f7eb800570886cf9f20f286d838390eb5378173afbfe59e11

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
    Filesize

    288KB

    MD5

    0575b2733904fd45cd162631815278c7

    SHA1

    01801c1702b5eb4e75372b8f2583f3562f48eea5

    SHA256

    24f99c9f43628c7c98931a4dd18374b801ae9c73e25d6c00cdf2575cb6d82eae

    SHA512

    1110342f1398f2ea21c17b6220e75da1a5d797c7b2cb857b91797292d6ef9c8c9540b8747028821f7eb800570886cf9f20f286d838390eb5378173afbfe59e11

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
    Filesize

    288KB

    MD5

    0575b2733904fd45cd162631815278c7

    SHA1

    01801c1702b5eb4e75372b8f2583f3562f48eea5

    SHA256

    24f99c9f43628c7c98931a4dd18374b801ae9c73e25d6c00cdf2575cb6d82eae

    SHA512

    1110342f1398f2ea21c17b6220e75da1a5d797c7b2cb857b91797292d6ef9c8c9540b8747028821f7eb800570886cf9f20f286d838390eb5378173afbfe59e11

    Download Submit