b889599d491f54d24c69df41e08475343b63b862c244ef3e251ff75803516068

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 15:14 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Size

327KB
MD5

997f39e96ad37cba3e4261b750ae1dd8
SHA1

b7364983c6cff0f64e408d3f41cd0338ac9c5035
SHA256

b889599d491f54d24c69df41e08475343b63b862c244ef3e251ff75803516068
SHA512

67f4d824d971efe8bbcd6c8a4ab1ff6d549422b5dc5125a05680f907591b313f6891846268489417319a5b033cccba54509c11952347c1a288ecbf1f18b02218
SSDEEP

6144:c2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:c2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4856	wlogon32.exe
1740	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\runas\command	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\open\command	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\open	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\ = "haldriver"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\ = "Application"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\DefaultIcon\ = "%1"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\DefaultIcon	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\Content-Type = "application/x-msdownload"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\wlogon32.exe\" /START \"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\DefaultIcon	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\DefaultIcon\ = "%1"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\haldriver\shell\runas	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\wlogon32.exe\" /START \"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4856	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 4856	1328	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe	84
PID 1328 wrote to memory of 4856	1328	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe	84
PID 1328 wrote to memory of 4856	1328	997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe	84
PID 4856 wrote to memory of 1740	4856	wlogon32.exe	85
PID 4856 wrote to memory of 1740	4856	wlogon32.exe	85
PID 4856 wrote to memory of 1740	4856	wlogon32.exe	85

C:\Users\Admin\AppData\Local\Temp\997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\997f39e96ad37cba3e4261b750ae1dd8_mafia_nionspy_JC.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:1740

Network

DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

254.19.26.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.19.26.67.in-addr.arpa

IN PTR

Response
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

nwoccs.zapto.org

wlogon32.exe

Remote address:

8.8.8.8:53

Request

nwoccs.zapto.org

IN A

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

nwoccs.zapto.org

wlogon32.exe

Remote address:

8.8.8.8:53

Request

nwoccs.zapto.org

IN A

Response
DNS

121.252.72.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

121.252.72.23.in-addr.arpa

IN PTR

Response

121.252.72.23.in-addr.arpa

IN PTR

a23-72-252-121deploystaticakamaitechnologiescom
DNS

nwoccs.zapto.org

wlogon32.exe

Remote address:

8.8.8.8:53

Request

nwoccs.zapto.org

IN A

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

nwoccs.zapto.org

wlogon32.exe

Remote address:

8.8.8.8:53

Request

nwoccs.zapto.org

IN A

Response
DNS

nwoccs.zapto.org

wlogon32.exe

Remote address:

8.8.8.8:53

Request

nwoccs.zapto.org

IN A

Response
DNS

3.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.173.189.20.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

254.19.26.67.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

254.19.26.67.in-addr.arpa
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

nwoccs.zapto.org

dns

wlogon32.exe

62 B
122 B
1
1

DNS Request

nwoccs.zapto.org
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

nwoccs.zapto.org

dns

wlogon32.exe

62 B
122 B
1
1

DNS Request

nwoccs.zapto.org
8.8.8.8:53

121.252.72.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

121.252.72.23.in-addr.arpa
8.8.8.8:53

nwoccs.zapto.org

dns

wlogon32.exe

62 B
122 B
1
1

DNS Request

nwoccs.zapto.org
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

nwoccs.zapto.org

dns

wlogon32.exe

62 B
122 B
1
1

DNS Request

nwoccs.zapto.org
8.8.8.8:53

nwoccs.zapto.org

dns

wlogon32.exe

62 B
122 B
1
1

DNS Request

nwoccs.zapto.org
8.8.8.8:53

3.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

3.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\wlogon32.exe

Filesize
327KB

MD5
7be5bd2d935cb8b6cd402ab46e01f4bd

SHA1
0576b25e2ecc96a493479ff09d1ae2e1dcd22c92

SHA256
f6b203309a70d507549bd9abb25c936688f463ff0bc46559c25573a689754f6b

SHA512
c7c0cd45117c6ad8d8971a74adb84ece49bb8d06e02b12b628b0f33758d9178c6289b7a82ee0306e691e1c72c3b717e5ab4affa2c0fc6f517cc5280ceea02b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\wlogon32.exe

Filesize
327KB

MD5
7be5bd2d935cb8b6cd402ab46e01f4bd

SHA1
0576b25e2ecc96a493479ff09d1ae2e1dcd22c92

SHA256
f6b203309a70d507549bd9abb25c936688f463ff0bc46559c25573a689754f6b

SHA512
c7c0cd45117c6ad8d8971a74adb84ece49bb8d06e02b12b628b0f33758d9178c6289b7a82ee0306e691e1c72c3b717e5ab4affa2c0fc6f517cc5280ceea02b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\wlogon32.exe

Filesize
327KB

MD5
7be5bd2d935cb8b6cd402ab46e01f4bd

SHA1
0576b25e2ecc96a493479ff09d1ae2e1dcd22c92

SHA256
f6b203309a70d507549bd9abb25c936688f463ff0bc46559c25573a689754f6b

SHA512
c7c0cd45117c6ad8d8971a74adb84ece49bb8d06e02b12b628b0f33758d9178c6289b7a82ee0306e691e1c72c3b717e5ab4affa2c0fc6f517cc5280ceea02b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\wlogon32.exe

Filesize
327KB

MD5
7be5bd2d935cb8b6cd402ab46e01f4bd

SHA1
0576b25e2ecc96a493479ff09d1ae2e1dcd22c92

SHA256
f6b203309a70d507549bd9abb25c936688f463ff0bc46559c25573a689754f6b

SHA512
c7c0cd45117c6ad8d8971a74adb84ece49bb8d06e02b12b628b0f33758d9178c6289b7a82ee0306e691e1c72c3b717e5ab4affa2c0fc6f517cc5280ceea02b11

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.