Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-03-11...py.exe

windows7-x64

7

2024-03-11...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-11_1c121c89fe5774bf0c52da0a15ee0525_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    1c121c89fe5774bf0c52da0a15ee0525

  • SHA1

    34c29c13d971730f77558ccd8a6ecb525ce8a6a8

  • SHA256

    4420b065622225475fcbda38f168f154bb6bb2dd368a8a298be8b32d5ae0844c

  • SHA512

    aa9d3431de8d9772c2dbe166070d4a54c0f6bd2624bae1b0931a4cae82a64cf38b7e4b4089cb63712c60df37a9fcd5c3916cbf29d1be4eefc719bea2c5e8046e

  • SSDEEP

    6144:aTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:aTBPFV0RyWl3h2E+7pl

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-11_1c121c89fe5774bf0c52da0a15ee0525_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-11_1c121c89fe5774bf0c52da0a15ee0525_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
        3⤵
        • Executes dropped EXE
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
    Filesize

    219KB

    MD5

    bd0061e14ada4361d2185ec331d97395

    SHA1

    97038612dd482cb2fde805a28180f002c49d1071

    SHA256

    d5dc85698cfb358661b927afda2efc3ef5256f97a3822794832f0290efb4dd1c

    SHA512

    ef9acaf0e44fc26f8b1a5dc372b5318f46a5f7b19089a164e8022bb4872f4c4fbf9c5cc0b2a4dde602f7c37d341e2d293b598657fcce03aad0c5a12b5c0ba2ad

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
    Filesize

    280KB

    MD5

    f4823c9c5fb666c75f8030cc95fa58d5

    SHA1

    6276edceb0556e0db4f5d8e7507965938d4ea376

    SHA256

    09a820464cd0b1daa2edab3f255d16c8ba74080ecf7a3b4e792c1ed5b7cb5fe9

    SHA512

    a235e019ad95de291ffd7aea6100fe864cef583ba0559dc3807a6907c116e63846273acb1b41c34bedf468077da9eaf12e1a7d092d6cdbc19a83ff1f987a8024

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
    Filesize

    115KB

    MD5

    aa1c79300e86ac8e4a7063714e026864

    SHA1

    3489b88fb6361c3cea4d1eadde4fe7f19d37d5c0

    SHA256

    b1367460f25095109d275301ae765b957dc2488316528b1607521121c9b1564c

    SHA512

    08c67c12ca1b35958bfad83a883e2d8f39a8a5d7e72bb3d6c6eee253638926ad32124ac87bf841b373c41cde4bdf4bb8f4e1ae45ced405b830b28ff3f07a91fd

    Download Submit