Overview

overview

7

Static

static

3

2024-09-19...py.exe

windows7-x64

7

2024-09-19...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-19_a3b0b801b25637437c5e6a5f15400328_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    a3b0b801b25637437c5e6a5f15400328

  • SHA1

    cc57b62d7a70481188b832fc85f9810d3c8aff64

  • SHA256

    08c865f69fa1ab1dc7d5f02e81d58c6c223d8737b0f4b176a12d11ead69c1c7a

  • SHA512

    b4b86857feda9f44b469fee73451ca95f11486e7aab8f4c09c0ed6e991e3e4312b02fc938eac2ec1df21e34d50ea3b06672261e0e39208acbb5826972b73f392

  • SSDEEP

    6144:ITz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:ITBPFV0RyWl3h2E+7pl

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-19_a3b0b801b25637437c5e6a5f15400328_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-19_a3b0b801b25637437c5e6a5f15400328_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
        3⤵
        • Executes dropped EXE
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
    Filesize

    280KB

    MD5

    67a8a77862425714ff885427ec36d4a0

    SHA1

    125743c049d0b4d09fc9c06e9e61d349229cc4f7

    SHA256

    d3e9b01e2aba2599388d4f9bf77e29ddb259ac5d95ee9693bfc6be56ce7788e8

    SHA512

    4de51eb4e4a68e669d744344c3f7a57778e689d4379e0ca9412004c866e72bc206bff29a5a5c6da08589c606011baec2a3662eb0ba93742a5b45d18936b7614c

    Download Submit