Overview

overview

7

Static

static

3

2024-04-30...py.exe

windows7-x64

7

2024-04-30...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-30_be68dd2aee7b19c03d927d8dd8c41121_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    be68dd2aee7b19c03d927d8dd8c41121

  • SHA1

    80cca647de39ffb5d5222ab585d94ff777e0bc78

  • SHA256

    8a521e5b7fd0b754a64bd5ad4ba5450b97c9bcc22b751466faa73957e9ecaa23

  • SHA512

    923d6766179c75aade6dfc15a13515436e3d7b126407b1481537a00132f630e455567f875dfe2058f32309e9b8fc0d905f743913b7ac45b37f9707c01fdb53eb

  • SSDEEP

    6144:qTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:qTBPFV0RyWl3h2E+7pl

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-30_be68dd2aee7b19c03d927d8dd8c41121_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-30_be68dd2aee7b19c03d927d8dd8c41121_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"
        3⤵
        • Executes dropped EXE
        PID:5064
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3824 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe
      Filesize

      280KB

      MD5

      4580e8761d5078ebab3b761a9ddb3ee1

      SHA1

      5a24c43b9ee5e5544aba8cd0db8e5c291937da11

      SHA256

      5513575b83b02b8fe0c61de1ee69c664da56ae6a84b3990d0281522cbad8286c

      SHA512

      0257137c47b4cc0c0dae021c15613606531332a4d8d557403df15937c1c977d796d5fa89267809782c2cc0c280cf7ff9b0aea83b116bd08f0b47359cf54c7fa7

      Download Submit