Overview

overview

7

Static

static

3

2024-06-02...py.exe

windows7-x64

7

2024-06-02...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    fe09d9d0de35a022bbc3afac14a2c20b

  • SHA1

    17c223997edccc51b0c4e742a3c45ab28c3cd03d

  • SHA256

    9035865a346cc5bb6381a1654fc5caf629c178bbc2341bb0f6cfc0c4fe222d33

  • SHA512

    ef32c629db04d0f1dd1cfde0aa1a16154c85b8412fbda3725742b915de4a503f97d1dbd33a13765d7d04957f417f3e6f9fd0969c6d05ee909d8c4372267da6f1

  • SSDEEP

    6144:TTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:TTBPFV0RyWl3h2E+7pl

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:1640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
    Filesize

    280KB

    MD5

    1aa020d537d40acabd017ec23f35ce33

    SHA1

    585418ccb0f42719c6173d96f92e43fcafab2b74

    SHA256

    27113fe7e79a75c25bba3a0d73396edbc579fa741a57fb4c6053299d7b9dcbaf

    SHA512

    b19ff5e39faee7519fc985e0116f0094f36c6be293dbcec802be9317ae5d4a868068edd9884b9022599b30538116fd6f3b1811f705aaf1da738f5acca371d43b

    Download Submit