Overview

overview

7

Static

static

3

NEAS.2023-...JC.exe

windows7-x64

7

NEAS.2023-...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    168s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2023, 10:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.2023-09-09_3ccd4ece6ad546ec76e70016c194876c_mafia_nionspy_JC.exe

  • Size

    327KB

  • MD5

    3ccd4ece6ad546ec76e70016c194876c

  • SHA1

    e91d4a01eb3d034c2d6744db8f1727190903ce4c

  • SHA256

    1e553d758f08fe7463384de0e8125d01f0e66f5235f187bba5316ddbea93f8ea

  • SHA512

    03599916a3b4a745f694dc896952ea661d9f833c570b25bdea0c9dac9a1b5537c4a9a5e5b0df2eb8d0739c7c1ceb0d3e230235380952bedc3d86dd24bdb3e23e

  • SSDEEP

    6144:u2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:u2TFafJiHCWBWPMjVWrXK0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_3ccd4ece6ad546ec76e70016c194876c_mafia_nionspy_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_3ccd4ece6ad546ec76e70016c194876c_mafia_nionspy_JC.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:968

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
          Filesize

          327KB

          MD5

          5ec3062df25ab5e981a33063a2f7599d

          SHA1

          544577fd771e4fbc994e9d93676a2e40d1d6c9ce

          SHA256

          628705689b51faae5c9ed1fdee4aa4240a32eed2eb0519bd20b8b4b7c4e1f970

          SHA512

          ef105fd0b79c40b192f6dd87faadfa18419e599c55b62acb7b375b75689abce21f50fc8abfaf1c192c4079ce975fc613323851f55c80494081ff1b9f028ec438

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
          Filesize

          327KB

          MD5

          5ec3062df25ab5e981a33063a2f7599d

          SHA1

          544577fd771e4fbc994e9d93676a2e40d1d6c9ce

          SHA256

          628705689b51faae5c9ed1fdee4aa4240a32eed2eb0519bd20b8b4b7c4e1f970

          SHA512

          ef105fd0b79c40b192f6dd87faadfa18419e599c55b62acb7b375b75689abce21f50fc8abfaf1c192c4079ce975fc613323851f55c80494081ff1b9f028ec438

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
          Filesize

          327KB

          MD5

          5ec3062df25ab5e981a33063a2f7599d

          SHA1

          544577fd771e4fbc994e9d93676a2e40d1d6c9ce

          SHA256

          628705689b51faae5c9ed1fdee4aa4240a32eed2eb0519bd20b8b4b7c4e1f970

          SHA512

          ef105fd0b79c40b192f6dd87faadfa18419e599c55b62acb7b375b75689abce21f50fc8abfaf1c192c4079ce975fc613323851f55c80494081ff1b9f028ec438

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
          Filesize

          327KB

          MD5

          5ec3062df25ab5e981a33063a2f7599d

          SHA1

          544577fd771e4fbc994e9d93676a2e40d1d6c9ce

          SHA256

          628705689b51faae5c9ed1fdee4aa4240a32eed2eb0519bd20b8b4b7c4e1f970

          SHA512

          ef105fd0b79c40b192f6dd87faadfa18419e599c55b62acb7b375b75689abce21f50fc8abfaf1c192c4079ce975fc613323851f55c80494081ff1b9f028ec438

          Download Submit