Overview

overview

7

Static

static

3

2024-01-26...py.exe

windows7-x64

7

2024-01-26...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2024, 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-26_70705cdeebd1122b6d70c8ff507a4855_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    70705cdeebd1122b6d70c8ff507a4855

  • SHA1

    d970ed08ca35aec3a9ad9061c5e97abde9c32fdb

  • SHA256

    78a413d1368a93a2bdddc86eed5d33551ce741fb20d61dcf7a8d455d26d2c39b

  • SHA512

    706d571a3856929f0f5fb16add69bfc0230851a30e1dc21f4850de827b06c8a9ca6f757c2c638b2d95b1853c93d5d5d2b815301923bcbff18b4a4cc7e247034c

  • SSDEEP

    6144:hQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:hQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-26_70705cdeebd1122b6d70c8ff507a4855_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-26_70705cdeebd1122b6d70c8ff507a4855_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
        3⤵
        • Executes dropped EXE
        PID:3944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    17KB

    MD5

    c4ea7338cbc8d8363304816c3960e3c5

    SHA1

    aed7a29a08012a0e5487f09cda226438958582fc

    SHA256

    26b53c1b539d95b34b49acaeb5031d82031d873230401122b7e68df5418fcfa0

    SHA512

    6788c3f281431c73d485bd7411c9b98a1d216d8263b90dd8efb2423f69ce9d0ad0df1eadb558cce1607cebeae8158bf93772604e4078ed851e898908dc7bf12c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    50KB

    MD5

    70adec296423dc924942ced45e930696

    SHA1

    fed63550b3d68eeb034bc8867d6d7b5228fd56fb

    SHA256

    b31f365f1936bb782517af07e6f47251fb76173673a8abaa0ca12ea87b78db5c

    SHA512

    d024ddab958e9836edd7f9617c63523885131755a8e311addf903f2345b169c5dad1254486d27440362dbbfc2a545bc150c3ec5499a34b82119b2fa43627cdec

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    58KB

    MD5

    6c507b750997f02cd7fc9dbbb31c2ac0

    SHA1

    bc42e02b95bd138704c2eace4f3788eecaa1a75f

    SHA256

    8e3b24249b0e85d3a14635164d735faeacc0c70e724c3419fc452b400a2f2448

    SHA512

    ec014f22857d7c027a4fa57d10a2149d16833cd01e17954d1ab3b47aa9c73b156ed7297c8bc7804a6d6e97a2e7ccf5545a78df81a2e227d7fb3b125a4d1ab7f6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
    Filesize

    164KB

    MD5

    960e6d70443b02cc0f426a104db80b60

    SHA1

    c175bf7abdd48ab4d5786135d60756813a4e013d

    SHA256

    cef845b154ed0c883fd79341ba13cf31ce6017878423c2080d7b3e59fe8c3680

    SHA512

    b63f187c51a0d79da56ccc692cbe68674b04a2e3057ab0df3532fe27bcf66b64d4435330b54579030da6c4ee2a7a69ca75d351dc134266040d12dcd317b2febc

    Download Submit