Overview

overview

7

Static

static

3

2024-02-04...py.exe

windows7-x64

7

2024-02-04...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2024 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe

  • Size

    344KB

  • MD5

    0b8787962fafbaa239da627098f4e0af

  • SHA1

    d1ce6cf715b7daf66ec022edad59e69d77592a18

  • SHA256

    739a2b93141723c8880cd1e805abffc7f0b9541d71c7a7d4ac25f1d8b4b47f3b

  • SHA512

    5823e7b14528bf0a131bba518f648dde7ba80cde247087fbc77f55ff474e3a5bfd8a71c9d87746afeef876b1d98f83a6556aeeeafb684db083ca5214d4c32058

  • SSDEEP

    6144:mTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:mTBPFV0RyWl3h2E+7pYm0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
    Filesize

    344KB

    MD5

    e5bb1619099531f9e8e785469c5bc5c2

    SHA1

    5f2ac8a4f00f5bd3e20267012131d5e1fd6008b7

    SHA256

    baed10c8b5b1ae2e6f3090f00a4d4df166386c4dd2405397d45fd2c07ef7109e

    SHA512

    d39d181302f834ba3f42feb5bd0c73c5d624bc753437e855e39763ec61004400ad5af030a1e46bf858299112d6b32a16459369a2f10255738de1e0fc67eb8d24

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
    Filesize

    78KB

    MD5

    7b2719ae0c9c960a87f129f41b682d47

    SHA1

    f5dde2124c7d63c8d36d6c7508ed6198df5d59c9

    SHA256

    4eae33b5066eae169f6e5fbd7f1db1d1a4150e164205975ef15954077119b356

    SHA512

    273c04999fe62b3100941915971e536bd5be45919f3dad1653bbce12a36b5cf6d93c9657766852e1ccb435ca88c40568caa62246cfbb5730330c4ac35ec77f35

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
    Filesize

    57KB

    MD5

    3f2407b5e17aa0fcafaddda67984e4df

    SHA1

    2730994ee450a2eff1994e3686dd1e77b34a7f08

    SHA256

    bf1dbed3ab5bfe22a12690809f3e8a66b67c73b8d4e28419da14f325f7b5bc81

    SHA512

    9db5a9c8990d473c986660f599864a197bbeb9242bd48dd17b1aaaeefbc16693b9caa315b5bb6b49a6a29970d9c01ab93b99e16f626511e9fe2f76d05a6fdc7e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
    Filesize

    62KB

    MD5

    57d44f3da7a007841ebbce0917f61588

    SHA1

    d481c07b822bb89dbe8e3c4798628e359adbd673

    SHA256

    f677c994ff924038efbe50e3c207a128c22af27a7775176d3612fcbfc6467726

    SHA512

    491b8e3815592fe103f21c451ea796f8ad66e8c52ff08ae86f6f0a6cb83617a01490e9a59c42218854a9750ac75427f342fd45666b0edec790dbb8c8b5ed7155

    Download Submit