Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 23:41

General

  • Target

    2024-05-10_30e9ff8c4a42fc4b32576f22b3431a79_mafia_nionspy.exe

  • Size

    348KB

  • MD5

    30e9ff8c4a42fc4b32576f22b3431a79

  • SHA1

    1dcb87040aec5d42f73d5477e95d80dab354bb83

  • SHA256

    877e2493020ddb9a351bc2ffbf30dd46d6fe1159a3de898bffa66cbfd96d6b48

  • SHA512

    21dd058a4e3703905650fa50e5168246f50847af71a97f6b1fa60209dc34cbcc740f9183bd508b66844b89c350ca415c9f7356becaadae6276c0dc3d9ad13836

  • SSDEEP

    6144:T2+JS2sFZfI8U0obHCW/2a7XQcsPMjVWr289gkPzDhmv:T2TFZfJiHCWBWPMjVWrHfmv

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-10_30e9ff8c4a42fc4b32576f22b3431a79_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-10_30e9ff8c4a42fc4b32576f22b3431a79_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"
        3⤵
        • Executes dropped EXE
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe

    Filesize

    348KB

    MD5

    b1b743f72f8005b53de05115b1420884

    SHA1

    fafb755e48c2a6ee45fd4f5006844e3de53d46b9

    SHA256

    f683149f85c71ff8fddb439fc5e3aa16f6c7ad9607baac3626a0ad2b1ad50bd7

    SHA512

    e79a953b3002e3426d78197340dca29553ed77a57777f3291c0971d84ff96051fcc78627474036ed3c5f0be6de13c223202940191dd6d462dceb7f5c285c9e64

  • memory/2236-0-0x0000000000AD0000-0x0000000000B2C000-memory.dmp

    Filesize

    368KB

  • memory/2236-25-0x0000000002C20000-0x0000000002C30000-memory.dmp

    Filesize

    64KB

  • memory/2236-26-0x0000000002ED0000-0x0000000002F2C000-memory.dmp

    Filesize

    368KB

  • memory/2236-32-0x0000000000AD0000-0x0000000000B2C000-memory.dmp

    Filesize

    368KB

  • memory/2684-37-0x0000000000ED0000-0x0000000000F2C000-memory.dmp

    Filesize

    368KB

  • memory/2684-39-0x0000000000ED0000-0x0000000000F2C000-memory.dmp

    Filesize

    368KB

  • memory/2764-33-0x0000000000ED0000-0x0000000000F2C000-memory.dmp

    Filesize

    368KB

  • memory/2764-38-0x0000000000ED0000-0x0000000000F2C000-memory.dmp

    Filesize

    368KB