Overview

overview

7

Static

static

3

2024-03-11...py.exe

windows7-x64

7

2024-03-11...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-11_1c121c89fe5774bf0c52da0a15ee0525_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    1c121c89fe5774bf0c52da0a15ee0525

  • SHA1

    34c29c13d971730f77558ccd8a6ecb525ce8a6a8

  • SHA256

    4420b065622225475fcbda38f168f154bb6bb2dd368a8a298be8b32d5ae0844c

  • SHA512

    aa9d3431de8d9772c2dbe166070d4a54c0f6bd2624bae1b0931a4cae82a64cf38b7e4b4089cb63712c60df37a9fcd5c3916cbf29d1be4eefc719bea2c5e8046e

  • SSDEEP

    6144:aTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:aTBPFV0RyWl3h2E+7pl

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-11_1c121c89fe5774bf0c52da0a15ee0525_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-11_1c121c89fe5774bf0c52da0a15ee0525_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
        3⤵
        • Executes dropped EXE
        PID:4664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
    Filesize

    91KB

    MD5

    d1a4d00fc154ea49af6f66e3eb7b6594

    SHA1

    cd3b2deaa755f5744ae3a464dd78aa0ac1482d36

    SHA256

    da152a31ab527a35408c9c5a4a674670021ad1ba3de38433efdc2b6a62e53f1a

    SHA512

    f3614ee7a4d62202de257779587abea730421587f99083d99aec868dd2824c81176b8fcaf6d9278b3d17f0ea11c8ec68d277d17c10eeddd59dfe035c7e8139f6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
    Filesize

    280KB

    MD5

    f4823c9c5fb666c75f8030cc95fa58d5

    SHA1

    6276edceb0556e0db4f5d8e7507965938d4ea376

    SHA256

    09a820464cd0b1daa2edab3f255d16c8ba74080ecf7a3b4e792c1ed5b7cb5fe9

    SHA512

    a235e019ad95de291ffd7aea6100fe864cef583ba0559dc3807a6907c116e63846273acb1b41c34bedf468077da9eaf12e1a7d092d6cdbc19a83ff1f987a8024

    Download Submit