Overview

overview

7

Static

static

3

2024-01-10...py.exe

windows7-x64

7

2024-01-10...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 05:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-10_e4e53ca8492178e860cd9da16cd38b9e_mafia_nionspy.exe

  • Size

    288KB

  • MD5

    e4e53ca8492178e860cd9da16cd38b9e

  • SHA1

    f1615e91060a996ba13fb3670d8d6238b48d473d

  • SHA256

    f01ac57d8b45b7495cba520e24fe0972184f26c925708ade05e940b29dec0b52

  • SHA512

    717ca292f1d6937b845343dfc3c6141c4e89edf38984a6f28db11f189dc6fd797a6117b3314b107579b036bdfc6c43e1f03d88bd905a305afa77c2dc3e3734d2

  • SSDEEP

    6144:BQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:BQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-10_e4e53ca8492178e860cd9da16cd38b9e_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-10_e4e53ca8492178e860cd9da16cd38b9e_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2844
  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
    1⤵
    • Executes dropped EXE
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    68KB

    MD5

    f61fcee425c8828eff47459cd9326073

    SHA1

    3b7192fce0c29080f7a31f9fcc071f57be21a868

    SHA256

    29943dd50060f39e0e001e5b0e703912501f386cc53e1b91f89f7f22ffeb1a3c

    SHA512

    af2ddbb1221c75ada70033d706bad28b078fd723a79be04e17872d230e8ba1ba0e6fd5eaf90941da6ca66fc975622375e1f9b5970ef76431f8c30f8a59f26b8c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    43KB

    MD5

    30c2381f0e84be792f9d96dac5dcbbe7

    SHA1

    8751bb40e91367f5371f9386435e2eb580f4647e

    SHA256

    adea621ed84692fbd7055c159a25e758e54fbc8d389be5c2556e9cc63cd7b45c

    SHA512

    721d67d9ce0f1a2493c193ab17ee0ea5257a29c93b4ea13ff4d40e6247172552779db7211d4658531d8bc552e8c7c7f3c408f47f28d10a310fd09830d644ff7e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    84KB

    MD5

    b2cd0170827506e1dbf050a744c2df8b

    SHA1

    0ab280e596293e62e4dbf504b1f3e84547e0dc22

    SHA256

    36ed4e47c457e23c6a13a114f18574af6a797f2938a142533886c32c65a94850

    SHA512

    81f57dc0d802dcef4c5c0f11372ae563a7e1db425537d88f6d453f6a8331e5a60da71e8f0077fd0bad3693ac86eb6026781b87056a59c2bf24702063fb64eb5e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    45KB

    MD5

    f19ffc693e4b429ea5f356abe44f701f

    SHA1

    a1974d19b10c4a991cb3f8e9f343d4c71e524c16

    SHA256

    34c23071f73dc6aeb1cf3db2340ee6a021a7fbff5eac3a8875531b1931621767

    SHA512

    85e8e4bfa4b73b5d23577de77fce1091ee1d123be8239dc27c533c248349cf80c826731158787267bc3d6e92604c0c4d636bc980fe5e306932a9f4ac1e1a608d

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    64KB

    MD5

    524e81b80984896747ea73db876af825

    SHA1

    4187aaf21b8b12a5f5631335a48dd1d057fcb509

    SHA256

    cbb0e9019a28a507021d5d8f4257fa8e19b454315be861702bc5f24440b42dfc

    SHA512

    3fda1d222a069e50cc06085ff2c3f773d10a51b787103d003281c8efd1aac8d07762ce87b99d04bab5b1023e6355e3b869f85579dc1c9d86585747a51862d883

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    49KB

    MD5

    89c0c9d901926bdb4e89d46feab8b8eb

    SHA1

    9379a8022387ce421383d21ff4547c52b0f1e198

    SHA256

    53886857af40624275c77faf175b070231912a3ffe9df9856d6b1626dc0cb315

    SHA512

    62f12b1aeb368e55fe520cbc4a4d92509c6d0cc43371363334eb64aa8d9df748849c9d9d5e29025bdeae5b5ba5fc86676ed64def1f77d8ff638ab1d7910d68ac

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    57KB

    MD5

    2de83cf0479eeee2cdd6afcda190de94

    SHA1

    713840cd838f3e4b95dcf95ca8c816281fb947d3

    SHA256

    6dc578bffb8e1b888be53a0dacf2ee3f6246342d93d7af6ee1708def45a001be

    SHA512

    fdf563cd66ccce8880d97a764087ddcbf457f1d32b23785ccedbba22c3eb9d1a8d8e053e7b998a7eab22633181a39706456a0ff0bf9f9ca7ea90b3e94b4f45bb

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    50KB

    MD5

    150a4beab746e377755272c573e6ebbe

    SHA1

    a8a8dafcd571fb80382212f227b39d1db9fff942

    SHA256

    76369c69e07f07c2908b120a7bd59b64dafea5e0cc502986362638a230a4ebc8

    SHA512

    b70ecc7b55c0dde71832e54a57b93a4a14184404c2704d5e81875fa39ff9e9e01ec9b8e570802a8afdc0826e4ceec0c338e50c9a6139d6c219c8ad9d0fc0f66f

    Download Submit