Overview

overview

7

Static

static

3

2024-07-22...py.exe

windows7-x64

7

2024-07-22...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe

  • Size

    274KB

  • MD5

    fee15c8df2f4e2e21308830600808156

  • SHA1

    3b0815b26cbc46863a99790cdf54d58655261bf1

  • SHA256

    9e78f8a9aca04f3b5e905f2b88c756e3a468293b8ded688918535045ee68860c

  • SHA512

    23719b2310b8ee4f6edf82c581fb49f1ce25f8d6e77928533a885489079ac2421b72201cbe8de9497f8d66bff20523ac1cb650086f0becd3d9530759bc9abdbb

  • SSDEEP

    6144:uYvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:uYvEbrUjp3SpWggd3JBPlPDIQ3g

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
        3⤵
        • Executes dropped EXE
        PID:3564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
    Filesize

    274KB

    MD5

    5f6523d2d8b0df7d25f5fd67478567b9

    SHA1

    f889455fe94e858b0e38ed8bd8175932dc7a8939

    SHA256

    4daca14e6d5cc6c92f501a4a024df178d9ccdebea3102b9a172f8012dcf72ff2

    SHA512

    698be84f7448e99079be595e100800d48eead17d58b0c320bb8424fee980636dd55ed9408b06aa08c1acef5e1f09111b734c48054cd0bf4f39b09671767dd3f6

    Download Submit