Overview

overview

7

Static

static

3

2024-08-18...py.exe

windows7-x64

7

2024-08-18...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    123s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-18_df9e825c62c2d6f8aa6ee405a0ddd1cc_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    df9e825c62c2d6f8aa6ee405a0ddd1cc

  • SHA1

    9215357aed815f10364c2a028e86b42a0326651a

  • SHA256

    8458d5a9ca0c29e58bf4d7aa4213ba2be3d408eb0ebe06ab7626b4be6b664084

  • SHA512

    a8e61bccacdbac3f7c2a914c310e62af71d23282e5bd6a6a128493ebe448b1050e416fb05f1a27a29ccd5487708d4b791b493d2ec6e67273f4c6301375fa02ef

  • SSDEEP

    6144:6Q+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:6QMyfmNFHfnWfhLZVHmOog

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-18_df9e825c62c2d6f8aa6ee405a0ddd1cc_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-18_df9e825c62c2d6f8aa6ee405a0ddd1cc_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe
    Filesize

    280KB

    MD5

    6bbbb95c194b918026a07998c9ebdf81

    SHA1

    1c1f4ae9277d399e395c419085e9d2e41ab273c7

    SHA256

    101e286daa528bd8df6351423a48ed1e31aca46180f0e1dbc9b05c4c217af89a

    SHA512

    3dc30b2fac1219dae3160f79d60882ed97baf02882aba4f301be894abdb8c5ecfee716d195ad4d59e9bbbba1d308aafc1860b8dbec5ec0d3a12f039c75f3ebd8

    Download Submit