5960b21f8d1180a567bdef4c58ec3ae56c44c51ff86775c3ebd0bbfd51bb51d5

Analysis

max time kernel
125s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06/08/2023, 18:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Size

327KB
MD5

8fe5536d3bc1444d2047ff2673d40427
SHA1

c009ff18e6bca05aa344643f6be288e6f0efcdd9
SHA256

5960b21f8d1180a567bdef4c58ec3ae56c44c51ff86775c3ebd0bbfd51bb51d5
SHA512

3966af2097e3d817fa5160641cde1ce67f370fe2bb262adfa2ee53cec37242f0073936fb788ccc908b405f6d5a879fa2e0379a56a5b6fd0334abef0b5eb5213d
SSDEEP

6144:Y2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:Y2TFafJiHCWBWPMjVWrXf1v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2616	winit32.exe
2468	winit32.exe

Loads dropped DLL 4 IoCs

pid	Process
2592	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
2592	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
2592	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
2616	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\DefaultIcon\ = "%1"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\ = "ntdriver"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\Content-Type = "application/x-msdownload"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\DefaultIcon	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\DefaultIcon\ = "%1"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\shell\open	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\shell\open\command	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\shell\runas\command	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\DefaultIcon	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\shell\runas\command	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\ = "Application"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\shell	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\shell	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\winit32.exe\" /START \"%1\" %*"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\shell\runas	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\shell\runas\command\ = "\"%1\" %*"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\shell\open\command	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\winit32.exe\" /START \"%1\" %*"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.exe\shell\runas	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\shell\open	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2616	winit32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2616	2592	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe	28
PID 2592 wrote to memory of 2616	2592	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe	28
PID 2592 wrote to memory of 2616	2592	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe	28
PID 2592 wrote to memory of 2616	2592	8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe	28
PID 2616 wrote to memory of 2468	2616	winit32.exe	29
PID 2616 wrote to memory of 2468	2616	winit32.exe	29
PID 2616 wrote to memory of 2468	2616	winit32.exe	29
PID 2616 wrote to memory of 2468	2616	winit32.exe	29

C:\Users\Admin\AppData\Local\Temp\8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8fe5536d3bc1444d2047ff2673d40427_mafia_nionspy_JC.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
00e6c931f76ae96a137b48dd4fa76afd

SHA1
6a50f860c1222cea6a4d726b9201cfcdb2752446

SHA256
e57ce6949956d062d193d0c0c00edea183a60369b66bfcc5d3f097e1b43b1015

SHA512
2ff41213793b31bb03e808830b22c0329c277205016ef49826b3ecfdeab18a1b5a610f812dc67a7e474491eac4e217a575f84b2084b420711586643964f32da5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
00e6c931f76ae96a137b48dd4fa76afd

SHA1
6a50f860c1222cea6a4d726b9201cfcdb2752446

SHA256
e57ce6949956d062d193d0c0c00edea183a60369b66bfcc5d3f097e1b43b1015

SHA512
2ff41213793b31bb03e808830b22c0329c277205016ef49826b3ecfdeab18a1b5a610f812dc67a7e474491eac4e217a575f84b2084b420711586643964f32da5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
00e6c931f76ae96a137b48dd4fa76afd

SHA1
6a50f860c1222cea6a4d726b9201cfcdb2752446

SHA256
e57ce6949956d062d193d0c0c00edea183a60369b66bfcc5d3f097e1b43b1015

SHA512
2ff41213793b31bb03e808830b22c0329c277205016ef49826b3ecfdeab18a1b5a610f812dc67a7e474491eac4e217a575f84b2084b420711586643964f32da5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
00e6c931f76ae96a137b48dd4fa76afd

SHA1
6a50f860c1222cea6a4d726b9201cfcdb2752446

SHA256
e57ce6949956d062d193d0c0c00edea183a60369b66bfcc5d3f097e1b43b1015

SHA512
2ff41213793b31bb03e808830b22c0329c277205016ef49826b3ecfdeab18a1b5a610f812dc67a7e474491eac4e217a575f84b2084b420711586643964f32da5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
00e6c931f76ae96a137b48dd4fa76afd

SHA1
6a50f860c1222cea6a4d726b9201cfcdb2752446

SHA256
e57ce6949956d062d193d0c0c00edea183a60369b66bfcc5d3f097e1b43b1015

SHA512
2ff41213793b31bb03e808830b22c0329c277205016ef49826b3ecfdeab18a1b5a610f812dc67a7e474491eac4e217a575f84b2084b420711586643964f32da5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
00e6c931f76ae96a137b48dd4fa76afd

SHA1
6a50f860c1222cea6a4d726b9201cfcdb2752446

SHA256
e57ce6949956d062d193d0c0c00edea183a60369b66bfcc5d3f097e1b43b1015

SHA512
2ff41213793b31bb03e808830b22c0329c277205016ef49826b3ecfdeab18a1b5a610f812dc67a7e474491eac4e217a575f84b2084b420711586643964f32da5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
00e6c931f76ae96a137b48dd4fa76afd

SHA1
6a50f860c1222cea6a4d726b9201cfcdb2752446

SHA256
e57ce6949956d062d193d0c0c00edea183a60369b66bfcc5d3f097e1b43b1015

SHA512
2ff41213793b31bb03e808830b22c0329c277205016ef49826b3ecfdeab18a1b5a610f812dc67a7e474491eac4e217a575f84b2084b420711586643964f32da5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
00e6c931f76ae96a137b48dd4fa76afd

SHA1
6a50f860c1222cea6a4d726b9201cfcdb2752446

SHA256
e57ce6949956d062d193d0c0c00edea183a60369b66bfcc5d3f097e1b43b1015

SHA512
2ff41213793b31bb03e808830b22c0329c277205016ef49826b3ecfdeab18a1b5a610f812dc67a7e474491eac4e217a575f84b2084b420711586643964f32da5

Download Submit