Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2024, 18:27

General

  • Target

    2024-06-01_61ad0c28260978bdd59d804d778af0fa_mafia_nionspy.exe

  • Size

    274KB

  • MD5

    61ad0c28260978bdd59d804d778af0fa

  • SHA1

    6fd27e5dda69a831dcbc55400c50bf289f779bac

  • SHA256

    7cc5954adf678252411b419b50644ef4738203d7671545e17f17a76e32c0f432

  • SHA512

    d52b6393acbe2231b6f156aa3b7f49be46543f2334a68ed32ed0bd5619400ffb91a9cebd1722a0fd8aaa287a9f26ad0cfe332dfe4711c0f22d633000d41c4018

  • SSDEEP

    6144:CYvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:CYvEbrUjp3SpWggd3JBPlPDIQ3g

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-01_61ad0c28260978bdd59d804d778af0fa_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-01_61ad0c28260978bdd59d804d778af0fa_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
        3⤵
        • Executes dropped EXE
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe

    Filesize

    274KB

    MD5

    c5e3f3a4f751d65f9f4d5734d4a0d0e7

    SHA1

    046f16bd3de11addadf659ed59a5f12132d11457

    SHA256

    523c4952888204469401676761fc44a0ed632db4aa3d2f5d97942fb5df4cfc02

    SHA512

    d44e414e6f07295cd83732c88efcc32c990ebee15506648d559f283b1b00064b0feb62a38f474fee66e03ab31b71cd8d996f0ebc3866233a9fed5144540097f1