33c66bb6f962494eb6648e4236b023725797630198b1907d6b6da8ae3fc47d7d

Analysis

max time kernel
126s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Size

327KB
MD5

d31d0c42023c5e056d3b55283c7e5ce1
SHA1

5a8d453c52c21945a5e17ac5af94750518b1b9b9
SHA256

33c66bb6f962494eb6648e4236b023725797630198b1907d6b6da8ae3fc47d7d
SHA512

01cab12f9020f0f846b7906981d73b0c36e49e83b7da4bafd84b3c34fa93aab2a700bfbd3ddcab8433c2e9670731bfebd675f250534c7af47ff72211d3d98151
SSDEEP

6144:V2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:V2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2700	lsassys.exe
2000	lsassys.exe

Loads dropped DLL 3 IoCs

pid	Process
2244	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
2244	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
2244	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\lsassys.exe\" /START \"%1\" %*"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\DefaultIcon	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\DefaultIcon\ = "%1"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\open	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\ = "Application"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\shell\open	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\shell\runas	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\open\command	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\lsassys.exe\" /START \"%1\" %*"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\shell\runas\command\ = "\"%1\" %*"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\Content-Type = "application/x-msdownload"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\shell\open\command	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\shell	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt\shell\runas\command	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\ = "halnt"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\halnt	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\runas\command	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\runas	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\DefaultIcon	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2700	lsassys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2700	2244	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe	29
PID 2244 wrote to memory of 2700	2244	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe	29
PID 2244 wrote to memory of 2700	2244	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe	29
PID 2244 wrote to memory of 2700	2244	2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe	29
PID 2700 wrote to memory of 2000	2700	lsassys.exe	28
PID 2700 wrote to memory of 2000	2700	lsassys.exe	28
PID 2700 wrote to memory of 2000	2700	lsassys.exe	28
PID 2700 wrote to memory of 2000	2700	lsassys.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_d31d0c42023c5e056d3b55283c7e5ce1_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe"
1⤵
- Executes dropped EXE
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe

Filesize
327KB

MD5
55818af3a4341e78c7ffa758b8682710

SHA1
78302fef035e0166534623c563cb4a20b0162ac5

SHA256
7598f10d0b61ad2e5a6494e01e97d9f6e7bda0c0f1bcff0934ca51010c69bea6

SHA512
307ac4fba9cd826ae9afc0e3b88baad360088006d99a2b3207b4ccbb8a350df72fc674541958bf037cd7fd5c0f67fda18c28641e74b21e89c729b4ca776127a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe

Filesize
92KB

MD5
a1851c65e6f0ad93b4649428e2a9f0c9

SHA1
d9a5625c22dcda9923bc87732cadb2682c5b7e78

SHA256
c40612e84851636d451653d55a5a517b51aa6f1371c61278771f8844e766d846

SHA512
504fb15621ef523486afb1b15627333dda642d7aa3df90a3ef6b347d90cffc05c54686da5e6ba985b46ce2997e17c11524ceeab339731ae7c966ab132fc0a7ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe

Filesize
43KB

MD5
c168a2d4870fac6e93860fb14c296593

SHA1
065da29e5b9c45256bb3be4eac364e8cacaf8097

SHA256
892d994581181468dafc8dbacef0f5c2028a1c7252360530c6c7cdd8da8a52b3

SHA512
0f917e280ee984b6071fa8d618b2624bb5e3eb388094d103ad203a0884101ee65a4b5a1646e7b27aabf1622f20c4367a3ab11ae6ef7ef726e8595cae1b3c7e0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe

Filesize
145KB

MD5
1a680580c236be0b36838660c8be7817

SHA1
07826ffffda8ebb83dc476fc4be0b0d92b99ada5

SHA256
fea5892b450b15e3ecf1672a27aed665c9ede71250736cf8a619d91c20733d75

SHA512
df98cfd3ed32f8b2f69bfc0c3f2b088d366dfcf7efe49e1be89e749ca1e82b251437db785c9504d4cb84247673fdd035ec095e3fec3d4a7f369be99faa5305ca

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe

Filesize
89KB

MD5
cb74b3a285a1a541604fdf193b9b7a7b

SHA1
44e7418a6a197449db4acf2dc7a3fb157d51a07b

SHA256
1f1d1c05173b726d9392050ad71d98b1b43d7ca82f6aae70e62e8cd735c3df68

SHA512
a7db64976097a3d7406765ab67954ba26f90eb959e53a7078c37d5c556fe307cb8b3de81b7760f38ff3569a33d9d28fe0419a990b394a79cdc65a6eadf96d3bd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe

Filesize
124KB

MD5
f832021a3df57ed15fbe970591cdda5a

SHA1
29645c6a9b8caf838a5a220e3827528fef7a6fe7

SHA256
1f9789a55c451fe0f73537310ed9f86a616dde3286937a1efb86c1587da9a0e2

SHA512
7c3586ed5bbcde4f92249fe5b1def9cda3b682dbcf4ed39591c38fdaa97c32a7ba93d2a598f35648e07bf4581b1d5d77d2822c10133b9625c37182891ba1d0a0

Download Submit