165eef8256b98d9cfecdb659a785b1f92227d9033b6c8b8108c8e6da5bf4dee5

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Size

327KB
MD5

8b82b6612a80daa7dfe1d33e95bf47ac
SHA1

938aea5fb94f0e1152135c7959de276d33a287c1
SHA256

165eef8256b98d9cfecdb659a785b1f92227d9033b6c8b8108c8e6da5bf4dee5
SHA512

21960832d4853d8ef9bdd7d4e94dd7b47d24dbac7e1d016368eece01a988fb87f7d68ac56913e2ccf2aaf88beaa46a86432f19968bc687d9f3f6641adf74de82
SSDEEP

6144:n2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:n2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3500	dwmsys.exe
640	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\Content-Type = "application/x-msdownload"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\shell\open	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\shell\open\command	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\shell\open\command	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\ = "Application"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\DefaultIcon	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\shell\runas	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\DefaultIcon\ = "%1"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\shell	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\ = "systemui"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\shell\runas\command	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\shell\open	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\shell\runas\command\ = "\"%1\" %*"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\Content-Type = "application/x-msdownload"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\DefaultIcon	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\shell	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\shell\runas\command	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\systemui\shell\runas	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\.exe\DefaultIcon\ = "%1"	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3500	dwmsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 3500	2660	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe	82
PID 2660 wrote to memory of 3500	2660	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe	82
PID 2660 wrote to memory of 3500	2660	8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe	82
PID 3500 wrote to memory of 640	3500	dwmsys.exe	83
PID 3500 wrote to memory of 640	3500	dwmsys.exe	83
PID 3500 wrote to memory of 640	3500	dwmsys.exe	83

C:\Users\Admin\AppData\Local\Temp\8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8b82b6612a80daa7dfe1d33e95bf47ac_mafia_nionspy_JC.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe

Filesize
327KB

MD5
b1e75bccc42ba9cb58ea941745defb72

SHA1
fed7ff1c24e862671eba87b0c42e2a2de93ebe04

SHA256
f02ccb20c7473a6ca774e17594a21099d75759a1997f229dc10bc2c981e1360e

SHA512
1a00194834a9c9a59fae714649ec013074860f539d484a066d39887c8d05565a687a59c1f3c6f21e3e845cfed5daf2cb94b3d40639141e679a24da228e2d38f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe

Filesize
327KB

MD5
b1e75bccc42ba9cb58ea941745defb72

SHA1
fed7ff1c24e862671eba87b0c42e2a2de93ebe04

SHA256
f02ccb20c7473a6ca774e17594a21099d75759a1997f229dc10bc2c981e1360e

SHA512
1a00194834a9c9a59fae714649ec013074860f539d484a066d39887c8d05565a687a59c1f3c6f21e3e845cfed5daf2cb94b3d40639141e679a24da228e2d38f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe

Filesize
327KB

MD5
b1e75bccc42ba9cb58ea941745defb72

SHA1
fed7ff1c24e862671eba87b0c42e2a2de93ebe04

SHA256
f02ccb20c7473a6ca774e17594a21099d75759a1997f229dc10bc2c981e1360e

SHA512
1a00194834a9c9a59fae714649ec013074860f539d484a066d39887c8d05565a687a59c1f3c6f21e3e845cfed5daf2cb94b3d40639141e679a24da228e2d38f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe

Filesize
327KB

MD5
b1e75bccc42ba9cb58ea941745defb72

SHA1
fed7ff1c24e862671eba87b0c42e2a2de93ebe04

SHA256
f02ccb20c7473a6ca774e17594a21099d75759a1997f229dc10bc2c981e1360e

SHA512
1a00194834a9c9a59fae714649ec013074860f539d484a066d39887c8d05565a687a59c1f3c6f21e3e845cfed5daf2cb94b3d40639141e679a24da228e2d38f6

Download Submit