Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2024, 13:47

General

  • Target

    2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe

  • Size

    327KB

  • MD5

    bb5ff3182739cf9b196117e76c809e25

  • SHA1

    c2a7f97da376c1aa99f4296c3dc752352af4d1ad

  • SHA256

    54bc04a065390bb26b50545b30d90bdf43a4ad8188346257094e194f505deac3

  • SHA512

    e58131c8272b1151b9ff8afb9592acf1efa6e6e446fef9fc9806528ac951cb7738e41a0ca524ac948223a5337668520575849f58238f26f1757639d8b6a79b35

  • SSDEEP

    6144:S2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:S2TFafJiHCWBWPMjVWrXK0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe"
        3⤵
        • Executes dropped EXE
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe

    Filesize

    327KB

    MD5

    ac2e1f23e4e8c3cc1cf9a90a75729c85

    SHA1

    ca515e240478976b6e9e8de427043808180b1c0b

    SHA256

    5df6539bb12b868323001f11bf22cb8bcab77a492fe4a867d5480309ab4a9f7f

    SHA512

    f966a1119a3f875a7ad77ec9c489cc22934d14961207cba90acd77c0c8da1a3498c25caa1edb0475e77bb9e20434c90f6a15046a3fad3f6cf91ed4dd3e79f5ea