Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 03:36

General

  • Target

    2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe

  • Size

    327KB

  • MD5

    8a51dc8f58c2c733233f2fd2d287b4fe

  • SHA1

    b1b31d6b8ad36adc40a272796f0c012e9d01254d

  • SHA256

    5535eab47e402dbb8ad50113cd19d821afe6b37ad6019e628289f8a5dadf1987

  • SHA512

    6969c562878e9239ad2a85ee0d51f5d7df1949e2af8ed947c17df3be9710be4d36547519faf5a53a288c973ab3e2bc46f0c13fa6a30f1f87a83fb77fd7586589

  • SSDEEP

    6144:T2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDhn2+6:T2TFafJiHCWBWPMjVWrXfn2z

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
        3⤵
        • Executes dropped EXE
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe

    Filesize

    327KB

    MD5

    e7e89273f416be3fe8659d8472d2b352

    SHA1

    61ac4436c471d38cea63501fe8731b121627e010

    SHA256

    47b27352d91f81f55d822a3f60c02bdedca7f04c6e74e38aed5a98fc5a27caa6

    SHA512

    eac2fa63c13abc8a07716ba83a75040189219e94e12b77e316d208f8cf9421786c0572b6e3d0c32b179243815164f5f33d67b055f8eb0617f248bde1faf9bc8f