Overview

overview

7

Static

static

3

2024-01-09...py.exe

windows7-x64

3

2024-01-09...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    137s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2024 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-09_d8b858102e091121aeed54224a4c2123_mafia_nionspy.exe

  • Size

    327KB

  • MD5

    d8b858102e091121aeed54224a4c2123

  • SHA1

    cb6f48247ac2fdf56e0261578abaff90c86625be

  • SHA256

    e550172994202072ad46789d5004d4811a4f9e7f69b4766682b66860536cf1d3

  • SHA512

    ae1d0ed47590e3212890e183cd49cd31e845e0fb0d9034f7e5f900d8b690a0943aa4fc2ee2b558ce45ee9d2c2a11377a1cb9b06d2c221154bb68875b5f2aa1c7

  • SSDEEP

    6144:p2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:p2TFafJiHCWBWPMjVWrXK0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-09_d8b858102e091121aeed54224a4c2123_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-09_d8b858102e091121aeed54224a4c2123_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"
        3⤵
        • Executes dropped EXE
        PID:1340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
    Filesize

    327KB

    MD5

    4b0bf814e16297d62a91b759ea892150

    SHA1

    ff66adb26cc1570cb8c0a34d2155c8e4716d6db9

    SHA256

    024f1d2846343c105429310366d5f13f628e4c5ddaea4c9cf33956983266802c

    SHA512

    465e5a687b7c66ea91956a86946d99ea5b9d1b5dfd277339cbb5e84298f7eda19c1a35d6f458f735fdd05f826beffcc2c263b10016ccd7849bd2359f4f752ea7

    Download Submit