Overview

overview

7

Static

static

3

2024-03-28...py.exe

windows7-x64

7

2024-03-28...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2024 02:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-28_85fc163a2b19e7de451518dcfe479fac_mafia_nionspy.exe

  • Size

    327KB

  • MD5

    85fc163a2b19e7de451518dcfe479fac

  • SHA1

    4c49af9c16c9ca680bdfa10b6f7d95081b4b7ed0

  • SHA256

    de80a3039338272c124494727d8ad071ce3ec4ba24a484c1ce5dd2e313611997

  • SHA512

    7225d1d090fb1b6c0d019771da8d9e8b9bb75297e1ac0889642b8cfa8de6e64cf1e6290032d15b3afa1f75be63c9fc8ad5e780224714fd05828bbcf9d0b2df6d

  • SSDEEP

    6144:J2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:J2TFafJiHCWBWPMjVWrXK0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-28_85fc163a2b19e7de451518dcfe479fac_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-28_85fc163a2b19e7de451518dcfe479fac_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
    Filesize

    327KB

    MD5

    a2f934fc8201ce9f339d3cdc578f35f7

    SHA1

    d869acc089f6d4761f760a5355f2e1745baa697e

    SHA256

    97d9c850f0188d86df8eb79f99f616a660e332d575526351193ac08450aaaa45

    SHA512

    ede4e1237cdb02471d369fdcd89f32b8b5b2cc58a5c281abc926c1c336dae79bf9e579c50fa0565957dfe3b44e9e9e780b00a33f05e1657cf6722067a6492d7f

    Download Submit