Overview

overview

7

Static

static

3

2024-08-19...py.exe

windows7-x64

7

2024-08-19...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 08:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-19_2698986bc32c641fd49bc10ba9c70276_mafia_nionspy.exe

  • Size

    288KB

  • MD5

    2698986bc32c641fd49bc10ba9c70276

  • SHA1

    5bdbf4bb7432f7aeb672b91134bd6bcb3ff294fe

  • SHA256

    31e1fde58db06060601666c7b497a936706e3530a683538e94b6f322cd1fdf86

  • SHA512

    3c523d7816e4893947321a4d9be3ec0e39d92b777d2487727bde019ef183a041814df5a87449acb3734ae668accebf8d9619054fb0c7a4288e5aae16698b859a

  • SSDEEP

    6144:IQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:IQMyfmNFHfnWfhLZVHmOog

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-19_2698986bc32c641fd49bc10ba9c70276_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-19_2698986bc32c641fd49bc10ba9c70276_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:2180

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
          Filesize

          288KB

          MD5

          fc236e07c8468d4fd29d18c81e733161

          SHA1

          a73097d13c615a4d421570644cb1d2613334462b

          SHA256

          61d142cf1115252d8e6ec53964a1a248b37658799a1db2df5413b567b2870ff5

          SHA512

          94913482ee2c515970466f0438a6a2c6267b7c7857c2b6d9f9e01cf2614d04ee1f20fae42202008a38ab823b6664dff9c7ad1ac0d334245d66ef734b2225e625

          Download Submit