Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2024, 05:32

General

  • Target

    2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe

  • Size

    344KB

  • MD5

    54c242885a6aeffd642918a3851b390a

  • SHA1

    85133557f19905fc2c886e7e8e1c808f8819971c

  • SHA256

    c63db7e699b980a80d6e34f860029e3e5e901312679031b0a07f9706833201b4

  • SHA512

    210c10e2157fc039e909dffce260416703f73cf00d256a21f33f74d9cb27db382f0d489d0744b5e2169676c963c4709606ee3fc8ab69667c37ee1a00a09ff2e9

  • SSDEEP

    6144:TTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:TTBPFV0RyWl3h2E+7pYm0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
        3⤵
        • Executes dropped EXE
        PID:1184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe

    Filesize

    344KB

    MD5

    c0238ff134caaafc2c885e84f16a87f8

    SHA1

    aedff9d4b18f2445f86905f1dd85a6fd5ae87cb2

    SHA256

    a67d38dfaf2e556639632308688c6143d4d07516465d3e101cb7424fc93cfb8e

    SHA512

    9c30a810d7b3f6b628cef817eba42b5f8afb5184ce0945d81b5ae849ad297c6ce474193e66162e6e5cf8e7ac5e6ee4f63132f8d4d31ef9520d934bba5f3e2d35