Overview

overview

7

Static

static

3

2024-08-11...py.exe

windows7-x64

7

2024-08-11...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-11_62a486f9bf8519b663f2ac7705159547_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    62a486f9bf8519b663f2ac7705159547

  • SHA1

    fe199c07e057faa2d0bdaf98fd46b10afccbcf04

  • SHA256

    5ff475124cb3134f699bb7a6fab15aa74908f4dd42383675c2c09068a467b663

  • SHA512

    3dd722daa40ffd9ceb76be3ba6994b109a9fba1294bff9f46e935be0450914f420a0def0ecd4de9e76485ede7ac13155634e44687270be597762a667d954f4a6

  • SSDEEP

    6144:JTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:JTBPFV0RyWl3h2E+7pl

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-11_62a486f9bf8519b663f2ac7705159547_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-11_62a486f9bf8519b663f2ac7705159547_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4668
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
    Filesize

    280KB

    MD5

    2f0624ce844e67d7da78c456e5d238a2

    SHA1

    3bf0e1efba6c444f1f6802172fd150c459596595

    SHA256

    250b9267784c96b6987b3aaeb04314f034ffcd063d61ba46651546a0583d4a37

    SHA512

    e2bb5f3ae1c062e24e4beebb891efc8c924809bfab412398c9444da5355be39e3e74960de4d2bc61ea2d7ee4f9e77fe7358ba9cc8d476da7a2ca3d9c57f20df1

    Download Submit