d5c7486801d3f150a8c07b132592a6a1101cf0ef10b84629fc2e9cced4234ca7

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2023 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Size

327KB
MD5

59a54d0ff309f6b2d6abf8a846f60ff6
SHA1

af5e7797c594370c6ab6a1664769e4d049b3bd28
SHA256

d5c7486801d3f150a8c07b132592a6a1101cf0ef10b84629fc2e9cced4234ca7
SHA512

54f52dd746f69f863c465c1b7c4c78b0d295e8573a30bf86df577a7510aa844042f538b5537c18b30276bb63de1741f5fe5c362e9940abd83fea7bf5a2e4de7c
SSDEEP

6144:g2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:g2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3788	winit32.exe
4016	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\Content-Type = "application/x-msdownload"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\shell\runas\command	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\DefaultIcon	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\shell	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\shell\open	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\shell\runas\command\ = "\"%1\" %*"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\DefaultIcon	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\DefaultIcon\ = "%1"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\winit32.exe\" /START \"%1\" %*"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\runas\command	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\shell\open\command	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\winit32.exe\" /START \"%1\" %*"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\shell\runas	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\open	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\DefaultIcon\ = "%1"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\ = "ntdriver"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\Content-Type = "application/x-msdownload"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\open\command	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\ = "Application"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.exe\shell\runas	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3788	winit32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3788	2880	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe	81
PID 2880 wrote to memory of 3788	2880	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe	81
PID 2880 wrote to memory of 3788	2880	59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe	81
PID 3788 wrote to memory of 4016	3788	winit32.exe	82
PID 3788 wrote to memory of 4016	3788	winit32.exe	82
PID 3788 wrote to memory of 4016	3788	winit32.exe	82

C:\Users\Admin\AppData\Local\Temp\59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\59a54d0ff309f6b2d6abf8a846f60ff6_mafia_nionspy_JC.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
4ce088e90625eaa93d7ca23ca1269aaf

SHA1
aea2b4ac31dd3965a5fc2e100c889d9a2cbfcc5e

SHA256
c8a4369011e226578626c4e8e435f0dd64709175ffbbf238a7d455c351251ece

SHA512
6ba33d0779fa0c41d7b9f42b37a03c4e888fdca73789ed45ee1416d9f89d250e93d755bd14432a8359293fe4a2801a2af24a2e62072fb48868cf224a357e9c5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
4ce088e90625eaa93d7ca23ca1269aaf

SHA1
aea2b4ac31dd3965a5fc2e100c889d9a2cbfcc5e

SHA256
c8a4369011e226578626c4e8e435f0dd64709175ffbbf238a7d455c351251ece

SHA512
6ba33d0779fa0c41d7b9f42b37a03c4e888fdca73789ed45ee1416d9f89d250e93d755bd14432a8359293fe4a2801a2af24a2e62072fb48868cf224a357e9c5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
4ce088e90625eaa93d7ca23ca1269aaf

SHA1
aea2b4ac31dd3965a5fc2e100c889d9a2cbfcc5e

SHA256
c8a4369011e226578626c4e8e435f0dd64709175ffbbf238a7d455c351251ece

SHA512
6ba33d0779fa0c41d7b9f42b37a03c4e888fdca73789ed45ee1416d9f89d250e93d755bd14432a8359293fe4a2801a2af24a2e62072fb48868cf224a357e9c5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\winit32.exe

Filesize
327KB

MD5
4ce088e90625eaa93d7ca23ca1269aaf

SHA1
aea2b4ac31dd3965a5fc2e100c889d9a2cbfcc5e

SHA256
c8a4369011e226578626c4e8e435f0dd64709175ffbbf238a7d455c351251ece

SHA512
6ba33d0779fa0c41d7b9f42b37a03c4e888fdca73789ed45ee1416d9f89d250e93d755bd14432a8359293fe4a2801a2af24a2e62072fb48868cf224a357e9c5d

Download Submit