Overview

overview

3

Static

static

3

2024-01-08...py.exe

windows7-x64

3

2024-01-08...py.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    0s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2024 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-08_e6065348dbd128fe93c952a9bbe4729d_mafia_nionspy.exe

  • Size

    328KB

  • MD5

    e6065348dbd128fe93c952a9bbe4729d

  • SHA1

    7e5ac75382c56aace4f74600d209f9dd98e60df4

  • SHA256

    8aaa333ffc9a930e4d7be3ec617b6f600f50bcb2b758402fbe1beb5134f7e9c0

  • SHA512

    18f94b0a8c68c778f6e747f2c81a3fba02f990226fe283fb55cf9d818d0c534a0067909eea37fecb0c9cb98f447a82be38767a8d33640d450662fcdc9ddc1311

  • SSDEEP

    6144:I2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:I2TFafJiHCWBWPMjVWrXf1v

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-08_e6065348dbd128fe93c952a9bbe4729d_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-08_e6065348dbd128fe93c952a9bbe4729d_mafia_nionspy.exe"
    1⤵
    • Modifies registry class
    PID:2540
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe"
      2⤵
        PID:1816
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe"
      1⤵
        PID:2612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
        Filesize

        41KB

        MD5

        97ec774adbc1a44018ac0d907b587bf8

        SHA1

        46b1aec6d3f4d2b87922ac68715489a01986b89b

        SHA256

        3c1151f5c82859a5a14e18efa6243e9983d27582a93df8dda86ef08f8ce89d67

        SHA512

        eb5bc71866dcea29a58c33d45059c2483fdd1e261855dcb29ac5d70a134af708a5ee5a8e07edec2c361a8911b110a331d50ab16459cf60d4c0b01ef401b4e823

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
        Filesize

        58KB

        MD5

        0fc191f921cce043f3c635af65515d43

        SHA1

        f6e98efe391ed4cf16ff9355cf864f61e907c9e2

        SHA256

        67644a728d693af59d07db0bab2524635fc677e49e0c68d627d92c2588c2fbaa

        SHA512

        3a412006da9e802212fd72ce25942d01120e270d9f7a3b24e76a6a43aafb8e2d0cfa67f00233fa9f4d12a5f3f19a25bb81e0f6f48b5c8b319d3b21e0bb8f815e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
        Filesize

        19KB

        MD5

        9fb403ef80647d485021cb394bd0aa47

        SHA1

        f698ce6893ae8915fd848dcef1bda8c7d886837d

        SHA256

        48cef948b52c1b2f0c478ec6ad405571ce6370720762af63c0ca086f0450fe26

        SHA512

        7f07a4e3ac0452a384fb0dbe5cdf9ebf218e2ae779f7bf7633de3ee5b5f3c16bac701f298b0a10be1dc7068cdd69bed5a5714811001ee0a34923acf227ffba52

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
        Filesize

        52KB

        MD5

        22869a614eb1d86e8deb99c7e2fe4b7b

        SHA1

        ab3a3b8d17ad7baa27c1eea83a9e21a566e028f3

        SHA256

        5bde6a21574bcf976648a7d76bc4165051c4e527b80629e44c43b3b49ce28ffb

        SHA512

        fff3c6992bfe95069b7638847a3d76516a4b9dab635f4bdfe6e662d1df577220a0350a3bbecdeca30f15cf6bbe0dd8d9e5e4a9cb9f3ab5933d563d7febe93229

        Download Submit

      • \Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
        Filesize

        23KB

        MD5

        eb20d9b387be0bc9e3b1666f74d1fc0f

        SHA1

        fb9f2df5577b20ba9d76d9798d0610f59c573aff

        SHA256

        428e26b713426b7417119dd06b01a4c15d1d9a0cc4c4430fc711892c7b2dd38c

        SHA512

        fc4165794dbdb4f007ecf637b60446efacac551ce863a902396dbfd102e8aacb763edf4e9bd1777c10916b975ea3cec7ed3ace9ad7ef441cafd4739702be4526

        Download Submit

      • \Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
        Filesize

        64KB

        MD5

        126c4386b6b97014ddd2b72efc8474f4

        SHA1

        63b75a974c55074cafd6e5b96fdb570c493c1c0f

        SHA256

        c49420b1b25944cd14ced944952ccadf84b98c1d596fff9234a52e156aa88727

        SHA512

        ac38b053996eacfbd96ce1b6370ee8ef1eaccf96ad5791116f00016910162bd669ca30bf85e195d9c676cfb28c884d1e666092f5e35b47fe1a192e322eb248d0

        Download Submit

      • \Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
        Filesize

        11KB

        MD5

        7d2b5a9b4ba144c7ed348c5088804583

        SHA1

        48d201387da62bcc7dddc24abeda5bd8a9f9c0ef

        SHA256

        2dc21a6a8eaa54f8df38fe128ad7093caaf9a7806b945e45be09d03c86be408b

        SHA512

        7ec678b66faf01c4000b9b697eb0eefa2779b2aba3b3b62a4b48e2a01bfe1f8d1dd43c85847f67f33380540bec2271077e5ca12350685d355e26c9b50d1ee8b9

        Download Submit

      • \Users\Admin\AppData\Roaming\Microsoft\Posix\wlogon32.exe
        Filesize

        6KB

        MD5

        f569110bcdf1009ba8ee9e06444d3e42

        SHA1

        c9619a4f9eb355ec24b6c00116f897ab5e09d0f3

        SHA256

        bad3cca163e9fc2999e0597604baf820028975557c73ecf771c2d1eb25412ede

        SHA512

        27b62b27a8a1cbead8b8cbdbc89b8073dcc886f06a9add54809a4aeb98656fd7cb38ab062616f70b1a6dfc119ba29abd212ec977ad4556a7ba80f3432830be80

        Download Submit