Overview

overview

7

Static

static

3

2024-02-25...py.exe

windows7-x64

7

2024-02-25...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-02-2024 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-25_f92b1e5b0208625c150c3a59a78e4014_mafia_nionspy.exe

  • Size

    344KB

  • MD5

    f92b1e5b0208625c150c3a59a78e4014

  • SHA1

    545f7c7ff142a4359704ece07f157af80a020cd3

  • SHA256

    9b655e89346579c9d3c77f330d96e46d6671789ef94320b94c1d22703aecf649

  • SHA512

    b4a71d2e7c641aec7f8777b6d5c3a228c517c2503fcabc68ea0ad639a0bbddbd930e3c0be32bae21405c290820844e43b0edc83496e6b0d769c9b14d2534bb22

  • SSDEEP

    6144:3ITz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:4TBPFV0RyWl3h2E+7pYm0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-25_f92b1e5b0208625c150c3a59a78e4014_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-25_f92b1e5b0208625c150c3a59a78e4014_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3260
  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe"
    1⤵
    • Executes dropped EXE
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe
    Filesize

    10KB

    MD5

    5d9ff7558468eb735ea6dd2b1dbce738

    SHA1

    0659d0b9d10c1ae08445146ad61d6512cb48759a

    SHA256

    8599a8080c669ed9aced7834683bd78a70ab6a66155c51781a5c499fb77ae696

    SHA512

    12b8eeaedec82621563de63827049d1102776333aa67591e11728c88e6c637fc08a506af0ad1a8b2aee175d437c5c44644e679299746381ec45491cdbe15cb71

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe
    Filesize

    29KB

    MD5

    b3b249d4ebc6d08f697b5625bbaa52d2

    SHA1

    0a1ea193c5a170f047bf7d8ae179441dbdb34990

    SHA256

    841f7c06c8bd6a68be6a912f68816e0d24f890ee9c75097b4ddf10a588018541

    SHA512

    9a01b40746413391403d9673c65df25996ef5d8329df4ae4085573d5f75cfbdc162fc2ef5d3ca5c5ed00fab30666512aad94a5fdf51abb406bbf6e2c7e88f7a0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe
    Filesize

    12KB

    MD5

    d6dca49512311846ac82ced5afcf09b3

    SHA1

    8e062e7670b77780e503582c5f58e0ade1c0ad94

    SHA256

    a1717988e63ac1e680366b5ec23e9ad88f8dc542ec4e27d3f76caa1426a25b4f

    SHA512

    0f1541942f40bf1217ecf9667847af921c9d00cf55d1ff2d4ce61aee2da12382c4f43cc4f80dba7b445b4aa14e1afa067d2657240012be3a65be41248b6f00f1

    Download Submit