Overview

overview

7

Static

static

3

2024-01-27...py.exe

windows7-x64

7

2024-01-27...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2024 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe

  • Size

    327KB

  • MD5

    5122529815fbaa316255966e87becab6

  • SHA1

    9ebb8604e0222b8d0aed7c151314666e7468bbc8

  • SHA256

    9488557b48f89bf068b106f0ec329e8761cc736f742916380d771f05f3ac83c3

  • SHA512

    bf9c7db7434f21a2c6c4dc0973c7b8d43cf865bc690c8d084d609b828fcb2dd31e88fd12c5bae32d711bd1192e3af866d4ee2d8a29a1caaf672b4ac6f3099313

  • SSDEEP

    6144:p2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:p2TFafJiHCWBWPMjVWrXK0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
        3⤵
        • Executes dropped EXE
        PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
    Filesize

    327KB

    MD5

    78bd49dda8aaa49e6c4c8d17a162aeac

    SHA1

    ed0c1affc7144cf375743cdfb37938c1a39d4742

    SHA256

    c81cee2ff398a1e52194aac9d4334a9296ed6a874a29a883a59e2789b641563a

    SHA512

    cecc50511fbf3d287dc81f1ae4ae24d1f9b2c174b9a3ba6ffa226bee09406d32df811ab01e4836852881d2463ef2896e8aff470af4135a904f02b01f857d00ae

    Download Submit