Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 06:42

General

  • Target

    2024-06-11_0f308cb99d34f52b5dd8200b7b0ca428_mafia_nionspy.exe

  • Size

    288KB

  • MD5

    0f308cb99d34f52b5dd8200b7b0ca428

  • SHA1

    80ca34bff63a7582aea7af03588bb3309e1d1008

  • SHA256

    3d1a2ebacc88af74a7fd8a44ac5befa7798a27dd84cd4d8a80edfc36403b8a8c

  • SHA512

    e8961fa74ba11da3fcec7d845845a3853a85306a9108f50af18fbb061fbbd700825b3d515ed7748b91bc125db88003294f8f6ab655708fadb4f3968d37ed54f7

  • SSDEEP

    6144:pQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:pQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-11_0f308cb99d34f52b5dd8200b7b0ca428_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_0f308cb99d34f52b5dd8200b7b0ca428_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe"
        3⤵
        • Executes dropped EXE
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

    Filesize

    288KB

    MD5

    f64aa309854904b4460653aeaedff3b6

    SHA1

    698d396ffdc4572addb03cdedcabc3465e84449b

    SHA256

    9da9ac86377893100d8250c6b1108e8b7aa62637a9ab3d562d1840a879351fef

    SHA512

    a0d5c0d6cf7a0206f98158ed635fe7ce2228ff29d43dbb9bb8c0d61220c2c12a138d96e5fcd524c87ba2243249f21180fac50e2ae96f63adbe6e8188380b94d4