Overview

overview

7

Static

static

3

2024-04-15...py.exe

windows7-x64

7

2024-04-15...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-15_37a3d2bb5399944d8db19ebc8a198da9_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    37a3d2bb5399944d8db19ebc8a198da9

  • SHA1

    93c338a3ff814804eed11090641319bec931d718

  • SHA256

    1383fd4cb6b1dd72637cfcb1bfaa0aae1e536405588c333b13f28e153d3870f8

  • SHA512

    4d7bc0e7a1bd73ed38138c6a4f7c654d5c4fb725196c8586c2775f5156d165cf8ddd2c4fc9c6bd28bc3bf386cf0a0bf5e52aa2e5c25c133a50d86fb00bbcdce4

  • SSDEEP

    6144:ZQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:ZQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-15_37a3d2bb5399944d8db19ebc8a198da9_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-15_37a3d2bb5399944d8db19ebc8a198da9_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:568
    • C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:1700
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
      Filesize

      280KB

      MD5

      6fcd5c49815e5ac1a684bdd952d53774

      SHA1

      c6e91175b592c1d9ab170322472f06e6eba4b3ce

      SHA256

      f67fad9bcd61fdfddc4e92428b710765f6340c5e938ae01dfbec67c68c330215

      SHA512

      25431efce7637ea617df4d5faafaaa4074b4105e77ace425f7aa4585b2cbe3abc98bb8ed73ac4307af4bdab5fda14fe48fa885a7c2f3c652660bcdd828186fe9

      Download Submit