Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 10:39

General

  • Target

    2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe

  • Size

    279KB

  • MD5

    dcea9ddaa24bc1c50eda1bca9b6ab849

  • SHA1

    93fb9b86a4c20ffc6a3022945a14852b46cb2adf

  • SHA256

    02874dafe44a7f2ad7e4f9c7b2806d585909dfb2fac8454007da8317ce8443aa

  • SHA512

    16c283c829589731b860bc57913e85e17027a2aecf7eba3492465ea0a929d633011fccc12061880508a48d2eae039426c694cd62dab3a5338914301e1dd5bdf1

  • SSDEEP

    6144:dTz+WrPFZvTXb4RyW42vFlOloh2E+7phg7ozD:dTBPFV0RyWl3h2E+7ph

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"
        3⤵
        • Executes dropped EXE
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

    Filesize

    279KB

    MD5

    5f9e26bfae81d928e75ed202cc823f57

    SHA1

    2402bee3182d34d8f1040cd9928d8e5fd5869fe3

    SHA256

    d31ca6869bfcad98d3434cd3fe5a17cabc6f880ca71ea2baf4b5975490b86e81

    SHA512

    679e0f3b59d3b4735f432f156755baffc642e4b9c8e9fda9496e3f5e633da742e8edeaac951e0c0526c8ec230bd2f3dbd80994d7a01d23f6de170568be5f4dac