Overview

overview

7

Static

static

3

2024-10-09...py.exe

windows7-x64

7

2024-10-09...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    124s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-09_da3a4755d9fc41c0e2d98e8ec1c842ea_mafia_nionspy.exe

  • Size

    344KB

  • MD5

    da3a4755d9fc41c0e2d98e8ec1c842ea

  • SHA1

    92661dcf10440bd3163815de1489b404fa6f3329

  • SHA256

    de7a1a03edda94cd358d8da66773e92466b36ca2862d719e80b1d73d3b1b56f5

  • SHA512

    9393d9a8614e789acf5ac3e2148ab13cf8e86f1a81e7f8d8cbd9e25870a18d0dd2f0c608a3bbc7657fb191999ac7c539241f59368595c8a14bae7a19b115ab6b

  • SSDEEP

    6144:dTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:dTBPFV0RyWl3h2E+7pYm0

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-09_da3a4755d9fc41c0e2d98e8ec1c842ea_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-09_da3a4755d9fc41c0e2d98e8ec1c842ea_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\lsassys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\lsassys.exe"
        3⤵
        • Executes dropped EXE
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\Sys32\lsassys.exe
    Filesize

    344KB

    MD5

    0d9e2ed9e2c8bb1cd24f458be3a9b2fe

    SHA1

    43b18a2d55708a4e252987cdf48cc977f8cea08a

    SHA256

    d39240c138cb51fea8cba0fc749df5111fb4d7b002fd28a01a6308a7b87793aa

    SHA512

    a432595c3e5ddc7482d0c37a2284db9193fbd905d2333f9f6b5ae7eeff7088f928f92b35b4af403f1d97e1597ce300732ce7130e875881a21d0fc0a6941838b9

    Download Submit