Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2024, 13:49

General

  • Target

    2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe

  • Size

    344KB

  • MD5

    961c69a6fc780beec70d9bae1aab4498

  • SHA1

    5ea26c67284c8c557127e6dfd4bedcb59f069810

  • SHA256

    a026c256a37e87eb6b5687ec32c51ee209701b30562ecf3d28a724aaf9f15aa0

  • SHA512

    4e195f5106c791453e3ece8f79774f836a2696c83681db2e23cd2cee8e7242056a33742fe18c522c9c09a1dbdb64e559b57b67810d5abd7414e400aeb536d286

  • SSDEEP

    6144:7Tz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:7TBPFV0RyWl3h2E+7pYm0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
        3⤵
        • Executes dropped EXE
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

    Filesize

    274KB

    MD5

    a9b6051ed745a08c69936d5cb2bc9cd0

    SHA1

    b651c52e369d4379c692362d4ea222ab29fa5b75

    SHA256

    1511bc07b8c5c04abfcf35131f637deb9c8aeb6f186e25da39c1eb1a8d00820f

    SHA512

    2c7963da29b7801eb58be1b85588b234f381a00873e5d8d8741b2b6bc38d8544eeb905f0c337edccbbe0f043e16c7241a9a10154e15aac79b54946c517076ca1

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

    Filesize

    138KB

    MD5

    d7e59ac0b728ee78852c9e8cd42b5659

    SHA1

    9bdbf4d445be4d1e508527fb582b265a445dce05

    SHA256

    4768fbb7fb9466aede5c8a0ed96489adc991a6c59905e269246cc13ce83d8e5f

    SHA512

    133a64ca37197e325393016c5a8e549251079700174e98a01e8e387616d822001731b6ad814869a29fa4f3b1bcef900e613cf02dc65c7f88909ef2b463cd3f37

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

    Filesize

    127KB

    MD5

    e520f05dcc99001d24de3c48c76ace5a

    SHA1

    77c2906e85d47ea4f8a5ed8b1d170a2ab5481ff0

    SHA256

    ee749d2a4bb24e97be9022486262d6075b81f8c7bfe334eba2de053cbe07657c

    SHA512

    f32bee8d57304b2a089b623d4be742b288cfbd6f9acd82766e999a82f79f0ccd6a8ab024b3c01ed25f4544f52f5b0547bc26b8bfe2523621b83cc29a8ae729d4

  • \Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

    Filesize

    344KB

    MD5

    0248c000af9c222e70b6c79ad1667537

    SHA1

    2a57a07f627d8dcd7624049b74db477cff00f3f6

    SHA256

    218d9f08ba578ea92c93865a6113d702dc063089c66b67d9c948a06d513c0776

    SHA512

    be057588cac6a459ec5b942b9a4bcb51bbb89ddbf5ec415a0b7dec529a2fda35ef7deadec65b80f31e1668dbf4035388c1c5cc71b1f83a61b0d8789ed5b89bac

  • \Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

    Filesize

    293KB

    MD5

    26300832574a474889241c97f0d333a4

    SHA1

    de421d78f64f8062df7307bc36e8d39b100b63cb

    SHA256

    b7a0575d39fce3074e5c1266899a55ad9bc99159437793e519ac1895cf519f3b

    SHA512

    eae45a4673b31961bc8b71fabb965ecfb92929d3078b8b1da32178fe8fdc7f18bcbe6271828e965e14b2dbcaa3c08b93394adf3979c3e2946c26b0e5ef1beb4e

  • \Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

    Filesize

    101KB

    MD5

    97b9a5fc3a0491e458fc243fce466e93

    SHA1

    75ac25fefd929cc3bc82eaac1575dd9cbeb6ae88

    SHA256

    2f52c03959581ed6b6d4f11375395a917bf1bf597d0651500891a60d52f51d3f

    SHA512

    514826b29524b2fe77091e384d567967c801ad572440fe4289fcd6d1344e19c8888096bbf60f0aeaa59fb01c2879d2f1579eb824a08602fa6e16727238e040a3