Overview

overview

7

Static

static

3

2024-08-07...py.exe

windows7-x64

7

2024-08-07...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/08/2024, 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-07_16d3b0452e0da7ab59a7f3cc55435102_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    16d3b0452e0da7ab59a7f3cc55435102

  • SHA1

    96abb56abca72bd71f2b363ef67b1671a91922ea

  • SHA256

    50d9d79a5d02c8941e5154b5b92c87951fd50690030dd520cb76fbbe90adb1d9

  • SHA512

    1c1895507fcc7bba9c97b2a27c0226e78ef58056b541941a082e445921a3e131957395a7f755760958e2103ee18abb0e29d7fa50f8939c8d87d509bb16752740

  • SSDEEP

    6144:BTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:BTBPFV0RyWl3h2E+7pl

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_16d3b0452e0da7ab59a7f3cc55435102_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_16d3b0452e0da7ab59a7f3cc55435102_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe
    Filesize

    280KB

    MD5

    6d5af77b787bb689ecb28f5a23e5cc78

    SHA1

    837007b6c2b72d5d339f904bb7beb0a6d2bcf3d9

    SHA256

    4787261cd66539cc08898ae15ab86fdeaf01c2a3817968c1c5e87c2319e6a8e1

    SHA512

    121d22a21ad4d7c1487c92256af1b6d95d487cd56a937d4535546fd36f0ca00923020a9cebe6fcda1110ba80a3433f23f9d0feb3b43bba77cafc8154f0ab32ac

    Download Submit