2dcbda5e96deca54be624823e93cb17ea158e2dcffb95f575b686a7875856192

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2023, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Size

288KB
MD5

face7bd424e80ca419b12ccd20b302ba
SHA1

44a12a3c7ee1fa8897cd6784e9cadadd94e767e0
SHA256

2dcbda5e96deca54be624823e93cb17ea158e2dcffb95f575b686a7875856192
SHA512

bba78325bf9e8021b03a5258614f5b9e33e8fde00540f19660db947df0a461c91c3d07f6fe625c86d059c78c4bf3161658172edb4ef0a1392fb19c3ddd1b9830
SSDEEP

6144:BQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:BQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4372	SearchIndexerDB.exe
3544	SearchIndexerDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\ = "jitc"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\DefaultIcon	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\open\command	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\SearchIndexerDB.exe\" /START \"%1\" %*"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\DefaultIcon\ = "%1"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\shell\open\command	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\DefaultIcon	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\Content-Type = "application/x-msdownload"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\Content-Type = "application/x-msdownload"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\runas\command	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\runas	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\shell\runas\command	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\shell	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\shell\open	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\DefaultIcon\ = "%1"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\SearchIndexerDB.exe\" /START \"%1\" %*"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\ = "Application"	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\open	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\jitc\shell\runas	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4372	SearchIndexerDB.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4372	4824	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe	82
PID 4824 wrote to memory of 4372	4824	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe	82
PID 4824 wrote to memory of 4372	4824	face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe	82
PID 4372 wrote to memory of 3544	4372	SearchIndexerDB.exe	83
PID 4372 wrote to memory of 3544	4372	SearchIndexerDB.exe	83
PID 4372 wrote to memory of 3544	4372	SearchIndexerDB.exe	83

C:\Users\Admin\AppData\Local\Temp\face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\face7bd424e80ca419b12ccd20b302ba_mafia_nionspy_JC.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\SearchIndexerDB.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\SearchIndexerDB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\SearchIndexerDB.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\SearchIndexerDB.exe"
    3⤵
    - Executes dropped EXE
    PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\SearchIndexerDB.exe

Filesize
288KB

MD5
76e366e5a92c3b3c569c86b4edf2782e

SHA1
1588914f9cc9e55a9fddfd560e6a78d33c27cab3

SHA256
9d652c76f88831e6c8b852f8b97a2261ce562241b4a5d79350a28bf7c9bc49c4

SHA512
7e9c3abbb8307fa2970e2ea95e3ddf9e7e0b970fd06332065ca01ca2d9ec4f5a0802394bba681fab0405d9ca5dcc0f29f756b334b8ecf01d5f9c1e3ace60e7ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\SearchIndexerDB.exe

Filesize
288KB

MD5
76e366e5a92c3b3c569c86b4edf2782e

SHA1
1588914f9cc9e55a9fddfd560e6a78d33c27cab3

SHA256
9d652c76f88831e6c8b852f8b97a2261ce562241b4a5d79350a28bf7c9bc49c4

SHA512
7e9c3abbb8307fa2970e2ea95e3ddf9e7e0b970fd06332065ca01ca2d9ec4f5a0802394bba681fab0405d9ca5dcc0f29f756b334b8ecf01d5f9c1e3ace60e7ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\SearchIndexerDB.exe

Filesize
288KB

MD5
76e366e5a92c3b3c569c86b4edf2782e

SHA1
1588914f9cc9e55a9fddfd560e6a78d33c27cab3

SHA256
9d652c76f88831e6c8b852f8b97a2261ce562241b4a5d79350a28bf7c9bc49c4

SHA512
7e9c3abbb8307fa2970e2ea95e3ddf9e7e0b970fd06332065ca01ca2d9ec4f5a0802394bba681fab0405d9ca5dcc0f29f756b334b8ecf01d5f9c1e3ace60e7ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\SearchIndexerDB.exe

Filesize
288KB

MD5
76e366e5a92c3b3c569c86b4edf2782e

SHA1
1588914f9cc9e55a9fddfd560e6a78d33c27cab3

SHA256
9d652c76f88831e6c8b852f8b97a2261ce562241b4a5d79350a28bf7c9bc49c4

SHA512
7e9c3abbb8307fa2970e2ea95e3ddf9e7e0b970fd06332065ca01ca2d9ec4f5a0802394bba681fab0405d9ca5dcc0f29f756b334b8ecf01d5f9c1e3ace60e7ec

Download Submit