Overview

overview

7

Static

static

3

2024-01-28...py.exe

windows7-x64

7

2024-01-28...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 20:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    e81d376b5a86fa6b49870a9efafc4ffd

  • SHA1

    9cc3cefd965db66e811316ddcf0df2764d9b72e6

  • SHA256

    b75b1b36783f8e09411dbb366e1e1e6936dc6d36339e5dd0baad89e8646d49e1

  • SHA512

    47be397d80bd1d928ebe23c01b8220a2b6779887cdbae07573afaf3129afff7c1cac59fcba61a5a60efa3759bae7a835e3b9b70543a90d6e2833ce23e9b80a4c

  • SSDEEP

    6144:GQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:GQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
        3⤵
        • Executes dropped EXE
        PID:368

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
          Filesize

          280KB

          MD5

          8cbbb9bf22b4aa15e511812ac91ab635

          SHA1

          235c063c22ca0825ef3ddde9d961ac06f588a883

          SHA256

          455f8d10e72fd87a83939b662250921fe724ed0da06faecb054ef8a673fcaece

          SHA512

          1e7ce5025bd83a22b91b939c9fe1ba67d9bbe838b23cccbb61680405dde4426865f8d2c397dcca4023db4ef0721e5fb28ff42ada122ad34586529abe899e8920

          Download Submit