Overview

overview

7

Static

static

3

2024-03-19...py.exe

windows7-x64

7

2024-03-19...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-19_fccf66274874898196ba9cb6847f37d6_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    fccf66274874898196ba9cb6847f37d6

  • SHA1

    dfd56a47476ed62f4728a3fa84a855e7538e0f83

  • SHA256

    daa74db3bc5a2788d34aa5a3e8c13c0a77d133f17d0c8f52926fe18ec9e96f3d

  • SHA512

    0628f76ccc304efb0bfeb3793108ca4fd2a950d87c40a2c73028e5b5507262aa8e01b702db46ac9e4e649bf47fb0100d61531fe2f14a2a7fd35754b1f09965c4

  • SSDEEP

    6144:yQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:yQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-19_fccf66274874898196ba9cb6847f37d6_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-19_fccf66274874898196ba9cb6847f37d6_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
        3⤵
        • Executes dropped EXE
        PID:548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
    Filesize

    280KB

    MD5

    ebe1f81878a5d9845736ad439f2aeb97

    SHA1

    5ca29570c4bc0f0307d29cea82a16f17fc72c857

    SHA256

    748642678d6d96b09b37f9d1f4b9cbfdd321aa0886588a42e31820d1684a9f89

    SHA512

    68a9f578a7abc579084b99403102cc2aff190b9ef1beebe4d15788726ca4e0338f5aacc44d16341a225cec88658924c20d902f20737d90a74bd7919dc628a278

    Download Submit