Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-02-24...py.exe

windows7-x64

7

2024-02-24...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-24_45a0789b3b248196560d2dfb9b778ed3_mafia_nionspy.exe

  • Size

    327KB

  • MD5

    45a0789b3b248196560d2dfb9b778ed3

  • SHA1

    89ad62e9f4e8cb5872e74a3488d8dac4236f7ed7

  • SHA256

    d9de72d39ce82b5c6950cc62dfc12970ab47b7e94a679f999f213abf4218bf3c

  • SHA512

    0de6461bddad1a91631c80a6f14e6403c45eff8727376f537ebd743b5104f0b886367b3a055816edfb8f0ebc3ab69b0488d8ecd7b838bb8eeb44548f7ca514c1

  • SSDEEP

    6144:p2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:p2TFafJiHCWBWPMjVWrXf1v

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-24_45a0789b3b248196560d2dfb9b778ed3_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-24_45a0789b3b248196560d2dfb9b778ed3_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
        3⤵
        • Executes dropped EXE
        PID:4816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
    Filesize

    327KB

    MD5

    c454bccf4074c1795fcc5e6a86f0e00e

    SHA1

    607358fe057dec52c852d45fe058598277fac7c8

    SHA256

    1edf2ce5ac5179d756746d1685c9264c5004ce6ecd8666d9648bee8d7066a68a

    SHA512

    dad80baf70f2fc99131907198b1fb917bddc60d556cacf0f21104a26e914d5629758e560e3b912bb402024a9b8c7cd597079068cbc9d65f17cfa248e26c3a762

    Download Submit