Overview

overview

7

Static

static

3

2024-06-03...py.exe

windows7-x64

7

2024-06-03...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-03_ea2f7772ba3af03e5727ed60c5c54c60_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    ea2f7772ba3af03e5727ed60c5c54c60

  • SHA1

    dadc3c27ac53c4fa227c2153b5305a4e064cf3f8

  • SHA256

    990790947d48ba9d0ef91eeea8f9a46c3b7edc4f22c134e2dc5e47ad1c635baa

  • SHA512

    3ab469c50bd4f40607087b2da8663575e49f85a52d45706d90afd5d8d1be51ffec52a9c2a75b2aedffa189014bd4588dd3e78d692faec7d8b81bdba786bfc258

  • SSDEEP

    6144:FQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:FQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-03_ea2f7772ba3af03e5727ed60c5c54c60_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-03_ea2f7772ba3af03e5727ed60c5c54c60_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe"
        3⤵
        • Executes dropped EXE
        PID:5004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe
    Filesize

    280KB

    MD5

    17129360774fb04bc19ace826bef1aa5

    SHA1

    09d2515ab9dacd038726d40181920e253b6d16e4

    SHA256

    790b16c753e57b8a1a2c2436c295f25cdd47503732d497b0fbd86cf603893c85

    SHA512

    91c8b7a137e1fa0c9a97eab0bdd0a5910bf3e5e7641b4038523a0bf79aa32730edff22e753bee0ffd54ece4ca8572e6b5dc7b6bec29dd6e71b465204e23bda58

    Download Submit