Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2024, 08:34

General

  • Target

    2024-01-27_d26ea78c92e6c36999cdd5a38327e364_mafia_nionspy.exe

  • Size

    344KB

  • MD5

    d26ea78c92e6c36999cdd5a38327e364

  • SHA1

    c6d005aa519727ef39be4f9caec12472a908c1e4

  • SHA256

    301c6a48c7a9924909596ffa1cca6fdd776a334d8d512b11577b5d7146fffcb1

  • SHA512

    8dd4d65e1e7e5a66ab2ff3f4c12d7cd8fb87a75d16bad49964ed518e351048366a643c1e536ad06f51eb62f3a680bdc9589b8ee28307d8c1de5babfd757a0e79

  • SSDEEP

    6144:wTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:wTBPFV0RyWl3h2E+7pYm0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-27_d26ea78c92e6c36999cdd5a38327e364_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-27_d26ea78c92e6c36999cdd5a38327e364_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe"
        3⤵
        • Executes dropped EXE
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe

    Filesize

    344KB

    MD5

    af87c8a8cfb4b8348c7b9017656f3bc8

    SHA1

    dd4341c3ec01f57b29b7aee4e38a6d8515ac7ef9

    SHA256

    ceadc9758656ba383972cac0f1bb333566e37dbd604914030d29d71d5f4034ad

    SHA512

    8ec52b8dbbffe4fe30dc53ee961cb00d0bba5bcdc40917e136045b4f08b942f5862cef209a6fa4e6f32fb75692a889b1bc9c3a4189329a188c931c7150099c31