759afc32c8a9be49ec68cad8d308cc992d86f29826f5604b95d4555e0785353c

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Size

280KB
MD5

d0ea370514c62fdffc98302d17ede77a
SHA1

25a2bd3cc78c9155c70e561ebd1265ee2102fe77
SHA256

759afc32c8a9be49ec68cad8d308cc992d86f29826f5604b95d4555e0785353c
SHA512

4af08930ce9a5228803c2f434072dee6149e5af945765847a0a46d83bf6ab66b624d8b3191211d9af0ad1fd1caea6d531a37a2162934cc70f6c3a3e309bdaf44
SSDEEP

6144:WTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:WTBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2716	taskhostsys.exe
1084	taskhostsys.exe

Loads dropped DLL 3 IoCs

pid	Process
2872	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
2872	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
2872	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\ = "Application"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\taskhostsys.exe\" /START \"%1\" %*"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\shell\runas\command	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\ = "jitc"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\DefaultIcon	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\DefaultIcon\ = "%1"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\shell\open\command	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\DefaultIcon	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\shell	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\shell\runas\command	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\shell\open\command	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\taskhostsys.exe\" /START \"%1\" %*"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\shell\runas	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\Content-Type = "application/x-msdownload"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\shell\runas\command\ = "\"%1\" %*"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\DefaultIcon\ = "%1"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\shell	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\shell\open	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\jitc\shell\runas	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\shell\open	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2716	taskhostsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2716	2872	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe	28
PID 2872 wrote to memory of 2716	2872	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe	28
PID 2872 wrote to memory of 2716	2872	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe	28
PID 2872 wrote to memory of 2716	2872	NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe	28
PID 2716 wrote to memory of 1084	2716	taskhostsys.exe	29
PID 2716 wrote to memory of 1084	2716	taskhostsys.exe	29
PID 2716 wrote to memory of 1084	2716	taskhostsys.exe	29
PID 2716 wrote to memory of 1084	2716	taskhostsys.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_d0ea370514c62fdffc98302d17ede77a_mafia_nionspy_JC.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
280KB

MD5
7948bbb1b17b954789c4f24f29b7f829

SHA1
fb04f8dbb3e5bdbbd8cfedc96fcdfc80a8b7ba62

SHA256
9dd11fc387a68fd76f56d9171cf00fda5b0d32a9b43f59ea6cc444a2024cf1f9

SHA512
ca4adffb47a91590f4b77783abb97108945a2bf8ec0cdd703824d694b6a6d266634399c7baccd865042ef7a559eb653f53bd40fd613d4758088b16f262b35a93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
280KB

MD5
7948bbb1b17b954789c4f24f29b7f829

SHA1
fb04f8dbb3e5bdbbd8cfedc96fcdfc80a8b7ba62

SHA256
9dd11fc387a68fd76f56d9171cf00fda5b0d32a9b43f59ea6cc444a2024cf1f9

SHA512
ca4adffb47a91590f4b77783abb97108945a2bf8ec0cdd703824d694b6a6d266634399c7baccd865042ef7a559eb653f53bd40fd613d4758088b16f262b35a93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
280KB

MD5
7948bbb1b17b954789c4f24f29b7f829

SHA1
fb04f8dbb3e5bdbbd8cfedc96fcdfc80a8b7ba62

SHA256
9dd11fc387a68fd76f56d9171cf00fda5b0d32a9b43f59ea6cc444a2024cf1f9

SHA512
ca4adffb47a91590f4b77783abb97108945a2bf8ec0cdd703824d694b6a6d266634399c7baccd865042ef7a559eb653f53bd40fd613d4758088b16f262b35a93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
280KB

MD5
7948bbb1b17b954789c4f24f29b7f829

SHA1
fb04f8dbb3e5bdbbd8cfedc96fcdfc80a8b7ba62

SHA256
9dd11fc387a68fd76f56d9171cf00fda5b0d32a9b43f59ea6cc444a2024cf1f9

SHA512
ca4adffb47a91590f4b77783abb97108945a2bf8ec0cdd703824d694b6a6d266634399c7baccd865042ef7a559eb653f53bd40fd613d4758088b16f262b35a93

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
280KB

MD5
7948bbb1b17b954789c4f24f29b7f829

SHA1
fb04f8dbb3e5bdbbd8cfedc96fcdfc80a8b7ba62

SHA256
9dd11fc387a68fd76f56d9171cf00fda5b0d32a9b43f59ea6cc444a2024cf1f9

SHA512
ca4adffb47a91590f4b77783abb97108945a2bf8ec0cdd703824d694b6a6d266634399c7baccd865042ef7a559eb653f53bd40fd613d4758088b16f262b35a93

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
280KB

MD5
7948bbb1b17b954789c4f24f29b7f829

SHA1
fb04f8dbb3e5bdbbd8cfedc96fcdfc80a8b7ba62

SHA256
9dd11fc387a68fd76f56d9171cf00fda5b0d32a9b43f59ea6cc444a2024cf1f9

SHA512
ca4adffb47a91590f4b77783abb97108945a2bf8ec0cdd703824d694b6a6d266634399c7baccd865042ef7a559eb653f53bd40fd613d4758088b16f262b35a93

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
280KB

MD5
7948bbb1b17b954789c4f24f29b7f829

SHA1
fb04f8dbb3e5bdbbd8cfedc96fcdfc80a8b7ba62

SHA256
9dd11fc387a68fd76f56d9171cf00fda5b0d32a9b43f59ea6cc444a2024cf1f9

SHA512
ca4adffb47a91590f4b77783abb97108945a2bf8ec0cdd703824d694b6a6d266634399c7baccd865042ef7a559eb653f53bd40fd613d4758088b16f262b35a93

Download Submit