Overview

overview

7

Static

static

3

2024-04-25...py.exe

windows7-x64

7

2024-04-25...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-25_970043f1c87524cc588c027fa182f855_mafia_nionspy.exe

  • Size

    328KB

  • MD5

    970043f1c87524cc588c027fa182f855

  • SHA1

    fc61a492a72995d016619fac2b8afbb715e25635

  • SHA256

    3e1de46920dd3f27b355ccac40dab6934c56c6ce7b40d23734e7242dae7bd157

  • SHA512

    e234e0e6cd4e8667856e54142557f7e9795ca657a8c117e02fcd1c38de40803b61b23b38d6273a2c2ad97aac8151301a0a9ed63cc07a153cf4c094b8c366db3c

  • SSDEEP

    6144:g2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:g2TFafJiHCWBWPMjVWrXf1v

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-25_970043f1c87524cc588c027fa182f855_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-25_970043f1c87524cc588c027fa182f855_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe"
        3⤵
        • Executes dropped EXE
        PID:1500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
    Filesize

    328KB

    MD5

    1316ae8c96af983fa858e7b7d4ab0bb1

    SHA1

    17a91373d4853a7252f03514538beb8409cf95aa

    SHA256

    b3a8920f5796dc59da3d302d8060eb43a5f250912d056af1599543c2f6c88d5f

    SHA512

    96a9ec09996063f22ccdddf63388f990f325945ae2ffcbb44c9b94ce7342ce66a3579660a415e7b69456ff333b0f8f7571406066a3a2bb17b9deb084b715366e

    Download Submit