Overview

overview

7

Static

static

3

2024-04-30...py.exe

windows7-x64

7

2024-04-30...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    30/04/2024, 03:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-30_c8683ba35b1593f691610157d0d54ccf_mafia_nionspy.exe

  • Size

    288KB

  • MD5

    c8683ba35b1593f691610157d0d54ccf

  • SHA1

    03f102de8e3908e66382c692783c025035a852f9

  • SHA256

    c44bbf081471bd0436325ed137966f2a9a9a725d56b3309666d22c29562fd608

  • SHA512

    5c89e4958ac499e248b4906f8bbd4a6582b4bbffee98a21971c339fd907ca79510ef1b2428583e701bc38d63625f86f6aeaf3e2bd1de5c46f7529def1664ee40

  • SSDEEP

    6144:fQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:fQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-30_c8683ba35b1593f691610157d0d54ccf_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-30_c8683ba35b1593f691610157d0d54ccf_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe"
        3⤵
        • Executes dropped EXE
        PID:2836

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe
          Filesize

          288KB

          MD5

          d1f5bf503c360d8b63dbda942e8558b9

          SHA1

          0f6e5151e1fabd3cb4fb3ae6ab32d216dbeed3e0

          SHA256

          742b8a7d70f31b4e6e357b2eb093ed13f3a796e75a51670ea8852acc24d95b42

          SHA512

          47e789436b35081de6734249d11bcde04842d830305c38c3781368ee151fa48fa6ff7cf17d5755cb1bac8a62c0f1c896f2be7dd98215f42ab7f215cea1661755

          Download Submit