Overview

overview

7

Static

static

3

NEAS.2023-...JC.exe

windows7-x64

7

NEAS.2023-...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2023, 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.2023-09-08_3bd874975daedb1cc200a741c9e6d768_mafia_nionspy_JC.exe

  • Size

    328KB

  • MD5

    3bd874975daedb1cc200a741c9e6d768

  • SHA1

    3e41c065543caf7d768a9fb33b494acaaf149019

  • SHA256

    5bc5ec2c338febf2b97df36aad4fb45b3aff987e071c23d148168888b0f5651e

  • SHA512

    ccc4ac8cd50ffd5947f50c897d7531ab1e507aea2409d035435371bda83b05826525e904a5256000634ed7a4e1e1aea2e96a5dd8b02906765f09c5bfff8b7ee8

  • SSDEEP

    6144:+2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:+2TFafJiHCWBWPMjVWrXf1v

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_3bd874975daedb1cc200a741c9e6d768_mafia_nionspy_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_3bd874975daedb1cc200a741c9e6d768_mafia_nionspy_JC.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
    Filesize

    328KB

    MD5

    d10ee190d27a3abb1d4bc27fd91eaa24

    SHA1

    414adff9466ed2670c4f7947d80981fbcb75749a

    SHA256

    79e21b8ae8b49c5d41edbd378ee7467fef262341a258561173edf1a7514db64c

    SHA512

    d8eed97b88f38943797a326e399603140073e3c948e1cd9a189101762d9dbde39b8c4b7f465553c195b37d37d8c23ae9420d88949b432d222996bc8d20f1a177

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
    Filesize

    328KB

    MD5

    d10ee190d27a3abb1d4bc27fd91eaa24

    SHA1

    414adff9466ed2670c4f7947d80981fbcb75749a

    SHA256

    79e21b8ae8b49c5d41edbd378ee7467fef262341a258561173edf1a7514db64c

    SHA512

    d8eed97b88f38943797a326e399603140073e3c948e1cd9a189101762d9dbde39b8c4b7f465553c195b37d37d8c23ae9420d88949b432d222996bc8d20f1a177

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
    Filesize

    328KB

    MD5

    d10ee190d27a3abb1d4bc27fd91eaa24

    SHA1

    414adff9466ed2670c4f7947d80981fbcb75749a

    SHA256

    79e21b8ae8b49c5d41edbd378ee7467fef262341a258561173edf1a7514db64c

    SHA512

    d8eed97b88f38943797a326e399603140073e3c948e1cd9a189101762d9dbde39b8c4b7f465553c195b37d37d8c23ae9420d88949b432d222996bc8d20f1a177

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
    Filesize

    328KB

    MD5

    d10ee190d27a3abb1d4bc27fd91eaa24

    SHA1

    414adff9466ed2670c4f7947d80981fbcb75749a

    SHA256

    79e21b8ae8b49c5d41edbd378ee7467fef262341a258561173edf1a7514db64c

    SHA512

    d8eed97b88f38943797a326e399603140073e3c948e1cd9a189101762d9dbde39b8c4b7f465553c195b37d37d8c23ae9420d88949b432d222996bc8d20f1a177

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
    Filesize

    328KB

    MD5

    d10ee190d27a3abb1d4bc27fd91eaa24

    SHA1

    414adff9466ed2670c4f7947d80981fbcb75749a

    SHA256

    79e21b8ae8b49c5d41edbd378ee7467fef262341a258561173edf1a7514db64c

    SHA512

    d8eed97b88f38943797a326e399603140073e3c948e1cd9a189101762d9dbde39b8c4b7f465553c195b37d37d8c23ae9420d88949b432d222996bc8d20f1a177

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
    Filesize

    328KB

    MD5

    d10ee190d27a3abb1d4bc27fd91eaa24

    SHA1

    414adff9466ed2670c4f7947d80981fbcb75749a

    SHA256

    79e21b8ae8b49c5d41edbd378ee7467fef262341a258561173edf1a7514db64c

    SHA512

    d8eed97b88f38943797a326e399603140073e3c948e1cd9a189101762d9dbde39b8c4b7f465553c195b37d37d8c23ae9420d88949b432d222996bc8d20f1a177

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
    Filesize

    328KB

    MD5

    d10ee190d27a3abb1d4bc27fd91eaa24

    SHA1

    414adff9466ed2670c4f7947d80981fbcb75749a

    SHA256

    79e21b8ae8b49c5d41edbd378ee7467fef262341a258561173edf1a7514db64c

    SHA512

    d8eed97b88f38943797a326e399603140073e3c948e1cd9a189101762d9dbde39b8c4b7f465553c195b37d37d8c23ae9420d88949b432d222996bc8d20f1a177

    Download Submit