Overview

overview

7

Static

static

3

NEAS.2023-...JC.exe

windows7-x64

7

NEAS.2023-...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2023, 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.2023-09-08_91984738c7c41417169d9e2cc1506c97_mafia_nionspy_JC.exe

  • Size

    344KB

  • MD5

    91984738c7c41417169d9e2cc1506c97

  • SHA1

    3be27d7e687c917dc59dfb19a673fc4c61eaef73

  • SHA256

    312e92d367594b92fd6d2f0eb31dd4e3d0686a133b78bd32010faf1e1fcda270

  • SHA512

    d475e9b28e51bc383812bd00367e7a79558a50fe76a9fd5c1072ffedda1e5037fc7b92becb571f0a56e4831a28239fb247a15dbdafd60d0bc0415a229b0462ba

  • SSDEEP

    6144:yTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:yTBPFV0RyWl3h2E+7pYm0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_91984738c7c41417169d9e2cc1506c97_mafia_nionspy_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_91984738c7c41417169d9e2cc1506c97_mafia_nionspy_JC.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
    Filesize

    344KB

    MD5

    8378c5b4eac4d003c3eafaf92ff4f17d

    SHA1

    8432097213ff445667501ab3c8ea0391195081c4

    SHA256

    e238e48d181d2acf280a951865a8806e63e7258d09190e0121d6c0648c1a7237

    SHA512

    025868827ec9c380968abbfa4f089bf28f8e5fed514d19e66a87963561b1c6191e51837721f4a9be58e7a8886e2a6b3804a865875ac3c582272b9e3d4ef3753c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
    Filesize

    344KB

    MD5

    8378c5b4eac4d003c3eafaf92ff4f17d

    SHA1

    8432097213ff445667501ab3c8ea0391195081c4

    SHA256

    e238e48d181d2acf280a951865a8806e63e7258d09190e0121d6c0648c1a7237

    SHA512

    025868827ec9c380968abbfa4f089bf28f8e5fed514d19e66a87963561b1c6191e51837721f4a9be58e7a8886e2a6b3804a865875ac3c582272b9e3d4ef3753c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
    Filesize

    344KB

    MD5

    8378c5b4eac4d003c3eafaf92ff4f17d

    SHA1

    8432097213ff445667501ab3c8ea0391195081c4

    SHA256

    e238e48d181d2acf280a951865a8806e63e7258d09190e0121d6c0648c1a7237

    SHA512

    025868827ec9c380968abbfa4f089bf28f8e5fed514d19e66a87963561b1c6191e51837721f4a9be58e7a8886e2a6b3804a865875ac3c582272b9e3d4ef3753c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
    Filesize

    344KB

    MD5

    8378c5b4eac4d003c3eafaf92ff4f17d

    SHA1

    8432097213ff445667501ab3c8ea0391195081c4

    SHA256

    e238e48d181d2acf280a951865a8806e63e7258d09190e0121d6c0648c1a7237

    SHA512

    025868827ec9c380968abbfa4f089bf28f8e5fed514d19e66a87963561b1c6191e51837721f4a9be58e7a8886e2a6b3804a865875ac3c582272b9e3d4ef3753c

    Download Submit