Analysis

  • max time kernel
    120s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 10:09

General

  • Target

    2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    790c93e93ca7b7c3cdc9da3e70dc52cc

  • SHA1

    ed5ed0c947e3e0a83432f928acfe0283682912d4

  • SHA256

    690c99dbd24a6160a035e6b2aa327ffe21bcc99e4e7afd0e5ec28c1b110b21ae

  • SHA512

    28b63296de9403ad8ede4fe80709c51b89c6db5fd14dcaad78a3db36b56c561326af796ba9cc45e7124b9a75239fa612f372ad27dcb154653bc14df4777ea7c5

  • SSDEEP

    6144:0Tz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:0TBPFV0RyWl3h2E+7pl

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:2696

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe

          Filesize

          280KB

          MD5

          a3f8cbc0c01d908299e7128d61ca044f

          SHA1

          3aaea9dd2f1f37ca0e013a87dc05ec08118813e4

          SHA256

          0133f7f5e45800dd4ca6e13eb91d1fb171a555ac370f6326bda711379ff20649

          SHA512

          f2cad0f5ba348c815698f23d50428bbf364125295482f60af8547023e2fd4b8c80983812c2adb639f1dcd2d1cc1ec1134ce51af674a93cdb2cdc92188c99b966