Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    160s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2024, 05:49

General

  • Target

    2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe

  • Size

    344KB

  • MD5

    02cd08e31c43c91b1fd150562debf20f

  • SHA1

    3f0afb4617736bf02ff001f9f9c9ecfe771201b2

  • SHA256

    84ea6a35ea9783e3ef5bdfa211da8176d92ccf13ae3c280cbbdd98e4a6353494

  • SHA512

    d0e7c70dbe2de95ac22e26169ce0af42987032fc019147480c25c8d85a43294a7b68f1090924330558fefd7739032fc10eaad3da559a95c39ec38bcd77e964eb

  • SSDEEP

    6144:kTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:kTBPFV0RyWl3h2E+7pYm0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe"
        3⤵
        • Executes dropped EXE
        PID:1480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe

    Filesize

    344KB

    MD5

    ddf3384d81f6b7d620ac983c98ec973a

    SHA1

    9ac45848e42ea01f3258876c3156a2dc884d2cc5

    SHA256

    f379b1b88423b2caeda8360d35923bc665ff3a2cc96f2f2ad1ee8bbafa463eb5

    SHA512

    69ac2992751cab17ddc330372a08ca3d2f14f446fbf5869c2c6ec312c79360d4f8669a42de2bea0de9a28c6137b6a72cd024fdf1f0d0bc6bf92bba9cc35afcf6