Overview

overview

7

Static

static

3

2024-01-09...py.exe

windows7-x64

7

2024-01-09...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2024, 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-09_770424cc3151c903f6fb7e26bb67d308_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    770424cc3151c903f6fb7e26bb67d308

  • SHA1

    025d453719601965a9ccb27a9995f83e847f73d1

  • SHA256

    d2cedab7eb566fb39f660a7d47d735a837b894dce9e67e93b59046a325ca8ad3

  • SHA512

    b02f95a950bfd94334a9ceab508b084e90c49b8f2f44b1d4e943adc726a4b674b19950f8da515324ffecc6c9d45f0f9d26afd92fc677f38ff15476404524d733

  • SSDEEP

    6144:EQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:EQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-09_770424cc3151c903f6fb7e26bb67d308_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-09_770424cc3151c903f6fb7e26bb67d308_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1908
  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe"
    1⤵
    • Executes dropped EXE
    PID:224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe
    Filesize

    2KB

    MD5

    6b81dd2032ee7e4cd056d24360a57cf2

    SHA1

    95dee30fd8744c81b437cde5a6839a2c07823073

    SHA256

    9364662e1c4f3f4e3f289229526d734fe85d2513361381ff816c710bde151231

    SHA512

    0752dacb6061adf4447511428e6d6e7a202521939a89a77d288588ab67de24381918763ec32ecbf6ef9ccb7409a4479e34721f1ff43862c78353e002078b3cee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe
    Filesize

    43KB

    MD5

    536610a9265155b6d390444dba9cbade

    SHA1

    9161bb011da0869a0343251c5d48c9315d5f5647

    SHA256

    7c4bb6555ffdf0ea9fc9561af928c85872b01f03ddb2df6336c6e10d8112d6f5

    SHA512

    3194da6c720158e2a334b5ca57baea9c7e4dfa363f8f1c8a23c46c0d07ca95f5d44bf5211f6f41873a65ba66401c931fd4bc78952a1e0b1ddb36f12c830543a8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe
    Filesize

    280KB

    MD5

    6774872c4eaffc1f51947595e2e7d68b

    SHA1

    ae35639e864ae4ce656862d727e7a2c1faf27275

    SHA256

    170ad8048ff0c1faffc902969d209ba45147928b349c66f287d73866c050057e

    SHA512

    4a14f4ee3d59e3e60375bd1fdad50226206f5e504750a6fa3cae93ff382666b845a2e8c110dd44719694f89c5b59d8edb8a8e5e65ec89d8e1dc9cd6ca9c5b29d

    Download Submit