58478862c7e18c967b0089f90dbef10d1426aceeb7b818ec0abcac28f8dc447a

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2023 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Size

327KB
MD5

4779d03ef695a1ce74c40932cc34fac6
SHA1

351143a33e05c9b6bc04fa6de9fbd05337c6f565
SHA256

58478862c7e18c967b0089f90dbef10d1426aceeb7b818ec0abcac28f8dc447a
SHA512

f19774e58e8a2c88a5bee17abede059c8e47ec5f11a2297894751b532d60b2f4a58574f7ddce7ab3792c511393bb0bb85adfc304956422a91700c2468b5942db
SSDEEP

6144:82+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:82TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2896	wlogon32.exe
4444	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\DefaultIcon	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\wlogon32.exe\" /START \"%1\" %*"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\ = "haldriver"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\DefaultIcon\ = "%1"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\ = "Application"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\shell\runas	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\DefaultIcon	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\wlogon32.exe\" /START \"%1\" %*"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\runas\command	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\shell\runas\command	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\Content-Type = "application/x-msdownload"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\open\command	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\runas	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\DefaultIcon\ = "%1"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\shell\open\command	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\shell	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\haldriver\shell\open	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\open	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2896	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2896	1372	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe	82
PID 1372 wrote to memory of 2896	1372	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe	82
PID 1372 wrote to memory of 2896	1372	4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe	82
PID 2896 wrote to memory of 4444	2896	wlogon32.exe	83
PID 2896 wrote to memory of 4444	2896	wlogon32.exe	83
PID 2896 wrote to memory of 4444	2896	wlogon32.exe	83

C:\Users\Admin\AppData\Local\Temp\4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4779d03ef695a1ce74c40932cc34fac6_mafia_nionspy_JC.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe

Filesize
327KB

MD5
8352521ffe5a0320ae22c9b6aa31a988

SHA1
a9e24c9f5aeadb0e4df994261bde89afecfab268

SHA256
166c69d813dfe9b246a980e903a9c6e302739d5e54f89ec88d2e0a22d2dc295b

SHA512
b8dab94e2ca8346261c07e65de37e711f5e01643a597c8ecfcf1c4c994bca358769a2ec040720585b3afb47649027571a98dceed0dda89b3a2c58e19b54f89bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe

Filesize
327KB

MD5
8352521ffe5a0320ae22c9b6aa31a988

SHA1
a9e24c9f5aeadb0e4df994261bde89afecfab268

SHA256
166c69d813dfe9b246a980e903a9c6e302739d5e54f89ec88d2e0a22d2dc295b

SHA512
b8dab94e2ca8346261c07e65de37e711f5e01643a597c8ecfcf1c4c994bca358769a2ec040720585b3afb47649027571a98dceed0dda89b3a2c58e19b54f89bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe

Filesize
327KB

MD5
8352521ffe5a0320ae22c9b6aa31a988

SHA1
a9e24c9f5aeadb0e4df994261bde89afecfab268

SHA256
166c69d813dfe9b246a980e903a9c6e302739d5e54f89ec88d2e0a22d2dc295b

SHA512
b8dab94e2ca8346261c07e65de37e711f5e01643a597c8ecfcf1c4c994bca358769a2ec040720585b3afb47649027571a98dceed0dda89b3a2c58e19b54f89bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\wlogon32.exe

Filesize
327KB

MD5
8352521ffe5a0320ae22c9b6aa31a988

SHA1
a9e24c9f5aeadb0e4df994261bde89afecfab268

SHA256
166c69d813dfe9b246a980e903a9c6e302739d5e54f89ec88d2e0a22d2dc295b

SHA512
b8dab94e2ca8346261c07e65de37e711f5e01643a597c8ecfcf1c4c994bca358769a2ec040720585b3afb47649027571a98dceed0dda89b3a2c58e19b54f89bc

Download Submit