Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-02-01...py.exe

windows7-x64

7

2024-02-01...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2024, 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-01_3cf51a911769d803b2523e10ffc65f5a_mafia_nionspy.exe

  • Size

    288KB

  • MD5

    3cf51a911769d803b2523e10ffc65f5a

  • SHA1

    78343eb542e7745cb3c9335beccddec506d23e2f

  • SHA256

    ebf03bba82672b29cef006fbc479784aa3fef1bd6c12b21d5c33f16bdb206137

  • SHA512

    fa716d2a313f73dc915af8bd5ed5d7138c3fe6c717782568084c1931e7508673026e2535ff5d11644dee27a8e41d48882328d0c0dd3d318883df2b7df0aa826f

  • SSDEEP

    6144:JQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:JQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-01_3cf51a911769d803b2523e10ffc65f5a_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-01_3cf51a911769d803b2523e10ffc65f5a_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe"
        3⤵
        • Executes dropped EXE
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
    Filesize

    152KB

    MD5

    1b81b9db37ff51d56fb2dc0c47c46ce4

    SHA1

    8d44210ab67b3d689fbf5c07b7ddb578885b9ac0

    SHA256

    a85aebf486d9c0a41ed1e11b3874614f45e62254354710d50e69f50e7febbec3

    SHA512

    c381938275b7b217625f87f6b3874af3d20add4ca5e33c3880c7f43d0554c261f0ce929ded2c74106136e716fb366c4d60fef5f41a7841c7bf5307c54e077cc0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
    Filesize

    108KB

    MD5

    50974f0b42dd7c7fb60a1d3bec1385ee

    SHA1

    d17f593f89195960d133e42bd3eba3b1a3633d55

    SHA256

    a6b7a3da3a21c421461cfebef7b66612f242f8a02423ca80dcd75ca4e3f01344

    SHA512

    6b6ee854f0d8a6b0d97eb962df0de1b49a40f46b8700996f088eb8aef37086928e7a72546b96faec869a0a6125e02115552cf9f8da7e888279a00b99db946685

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
    Filesize

    151KB

    MD5

    0a581aac1eea58ff249fb60d9c72747b

    SHA1

    2f044e3b7297076d53623aabc4d9239e5b1b48f5

    SHA256

    01e8d5aeea77370231996b81a72c22333bf35ca4c4314a3622e492db6e8a4c50

    SHA512

    2337715b93c5ea1d34441baa84dfc5da03e44a1064108bac0fa12006ddf229bfeed901cba6055c58a81bd1d30a9e2b31edd20e41f9d04e2a85f4d9ba4b82e854

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
    Filesize

    288KB

    MD5

    0c81a4121092c240b637dfb2b4ede947

    SHA1

    2da4a880372e1e77b15d9dd88e4ccb8723036a87

    SHA256

    7e0c982223346caafb342f689745b950d118eca6780f19f880e068059d6be2bc

    SHA512

    18ecf85a76f50716781f22c8a1d64d6f4ed6b70b8bbb97b1e748e6e9083d4989ade1149b59fc0ded68452fb1cf41af4648082f7f7afa0c95e47e4d7f7266ff50

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
    Filesize

    245KB

    MD5

    cf16946496af27aaf5d86adcbf991858

    SHA1

    5f12eabd3f5f23360a7371e341e778781a8f9834

    SHA256

    aed4273ac025e1c7153f006c9a83a10044b2903dd08d3b99f6e530899812a8a9

    SHA512

    5fc3969c918b2b2d8bfd48cffa531cfa9d85daed130bbfe547fafaa67385e1ebfe3642bd8ce1ae7f847d353905d5b265bdda2aa4a9094d1aa12ee0b635d8a05c

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
    Filesize

    170KB

    MD5

    bb61aefd23e5b01cb179bfd27288e972

    SHA1

    a29919974a6330ef74a69d54cb919be751eee94f

    SHA256

    d1e1eb492ff3bf226a39669786f9620c5cd54d145a9b5fcaa0272243323210b9

    SHA512

    12857f622f1db148041de28be9dc7f26b504343a39dcfb95cdf1ef3fbc722f8ad4842865952619bb6d597e63aff5fad8469b55219434a4ddcb8230f5d6ee8e93

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
    Filesize

    180KB

    MD5

    cb5deae655d2207baaf33dbaae5c89ae

    SHA1

    413da73f2145dc15049a656be6abde0a77fe706d

    SHA256

    30512a63b89d74a75e512daecafa3eefc20db4a55cff1851fe581eac25db29e3

    SHA512

    d94880cdd4b41d2ae7b4ac35f1944e22db227cf3aa850524ff4004016e0a92e502a60728736ae3cd2feb9eba78d74b584678ab38ad203937cd9009e63ff3166b

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
    Filesize

    146KB

    MD5

    1796a6223c815a66f85903998fd41f40

    SHA1

    d449cdb5faecc84fa7277fb12dd5c6ebc0263548

    SHA256

    8054e03acf2ae28ded7df3598dce14a34424dc446e9d625a4bc6f20b7402fe11

    SHA512

    8182dc314d91e4717a3088f682b871988d227b431791bfbed52a9fa374da96e8040dfcb8101af0dd35fcc6c4bb518e38eef85eaa59ff870a304625e89469600b

    Download Submit