9e6594f34dde371228c45829e9ec961aaa0eed1757c350d44d12d66deacfa7c4

Analysis

max time kernel
0s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 05:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Size

288KB
MD5

4f748e3e12b8e42e4846eaa9316d8012
SHA1

2d5408b03a97dd84970bfb1e20c9dd4b9b143376
SHA256

9e6594f34dde371228c45829e9ec961aaa0eed1757c350d44d12d66deacfa7c4
SHA512

32f2e07f1870c6d751cda6d582a0b8fe077ede87637e10ea32b7e941f9dd3f9dae8349872fa6be610a8d9691ac7b5a70a53ff4cf345833cdad82dc301b6d3def
SSDEEP

6144:8Q+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:8QMyfmNFHfnWfhLZVHmOog

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\shell\open	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\ = "prochost"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\shell\open	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\ = "Application"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\shell\runas\command\ = "\"%1\" %*"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\sidebar2.exe\" /START \"%1\" %*"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\DefaultIcon	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\DefaultIcon\ = "%1"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\Content-Type = "application/x-msdownload"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\shell\runas\command	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\shell\open\command	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\shell	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\shell\runas\command	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\shell\open\command	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\shell	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\DefaultIcon	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\shell\runas	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\sidebar2.exe\" /START \"%1\" %*"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\.exe\shell\runas	2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_4f748e3e12b8e42e4846eaa9316d8012_mafia_nionspy.exe"
1⤵
- Modifies registry class
PID:4744
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe"
  2⤵
  PID:4380

C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe"
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe

Filesize
35KB

MD5
235caddb4e04b779e2f9beac062ac1bc

SHA1
1924fd1bae92d1e1dc19b9a92c229952c3b770f2

SHA256
9567b46a44c62148f613a563979e52df60a3d7611aa42745994d0e712ebaaf8c

SHA512
211e38765af429cdb0b04e468aa1423724f359bb527c409e24fe96163119015fb1232fe8b307bdf58a13ef4a92a5ac4dfd175bac5db36415e5cbb6fde6ae10d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe

Filesize
33KB

MD5
0f26aeca7061005f163bf636f64bdc26

SHA1
3c5ce47dd28f1b275051c09bc5b5408e40dcd54f

SHA256
de971da23ac308578323f275ad0779dd7391a648986f7d2335b4c765d9c7e92e

SHA512
7c80b08945bf92f6bfea79859692e5f5b6fdc9a737b0974582b19afd7a42b8ad8a5db283c09434afdc58ed573079f797d0256f4796918f50aba68a8b0b22fb54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe

Filesize
21KB

MD5
52509627ff685b29ae3af8f9670112cf

SHA1
7b418726c1f64a3d86130435051f43aeb043de60

SHA256
a3b757a1f726a11b071608781b9e00d5d76c8c283ca9853e7786c369d70ec81f

SHA512
a81491c1e7d24fbaa9da8c8f20c03c36c74ea0be88143617f0becfc4f24d9c33577225dc37580fa60337bf46c51ffc69b9a24c462319fa73922f3a5b15c351d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe

Filesize
54KB

MD5
be309e6cd936079caa273b9aca307a70

SHA1
baeaae16d88e5911ff0406cb5a524b64c5016e90

SHA256
e95620e4e926297f62f809f3f3ed59fc6e955ee61f6de68eadd398b1c462299a

SHA512
3b194f8870d0a96f9a0b6f0e184ecb6e1e68371f50f1c83374ca177a0f6ef013e2ca73e3b1838be3cd1e2e133ff3836bd9f4801a0145654a5f7629668d587e41

Download Submit