Overview

overview

7

Static

static

3

2024-03-09...py.exe

windows7-x64

7

2024-03-09...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-09_248a083e93846666d4e63d6e00226eec_mafia_nionspy.exe

  • Size

    288KB

  • MD5

    248a083e93846666d4e63d6e00226eec

  • SHA1

    a763b70ae8a69e62dd1c52a981c653de9c769170

  • SHA256

    f9bce04dc1c440e38272e3ae9c32f6ac1c70b1a682bd4e2c336f883d371f2be8

  • SHA512

    0335615cf6b258de550912663fbe30c0fdf0db10c6532f45187e66073835a871f45574d17c19710869a33055f352d83f735b819fadd9e14ffca71464d5bcf89e

  • SSDEEP

    6144:JQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:JQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-09_248a083e93846666d4e63d6e00226eec_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-09_248a083e93846666d4e63d6e00226eec_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:3176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe
    Filesize

    288KB

    MD5

    cfc671af297dd98b071d5b476f28c250

    SHA1

    3ebfde008342ca1b9799688fb289b4773f1142e8

    SHA256

    c8bd73418fb549f9258a79dbb272b9be46f317e69e6b92916019a730dcecbb61

    SHA512

    993ba2d79735880bad992ca7ab5a9c9e47c26f9cada2acf2c23747dd20fc998bcee6ff659ff02dd5973febc05accafe24665c375dee379c51ef5935f8dd2388e

    Download Submit