9e770d4958b2dbbb029d7c6653aa2f77215a9103b70361034b97da6258faf146

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Size

344KB
MD5

20a4040bbaeaaf9fc3ad097bf4931ba8
SHA1

73a8a8dcf83321eaada59e1a60cc883b57ee54a9
SHA256

9e770d4958b2dbbb029d7c6653aa2f77215a9103b70361034b97da6258faf146
SHA512

253454a37f9b53b11c0560be7e5fa18cf3516d037ba801fdcea99f7c8b98d9586396a6a9a0cb0a99ff434c584c718c2dfdcf64db7d34d3ce5cbdf38ac911de81
SSDEEP

6144:MTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:MTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2892	winit32.exe
2336	winit32.exe

Loads dropped DLL 4 IoCs

pid	Process
2236	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
2236	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
2236	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
2892	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\shell	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\winit32.exe\" /START \"%1\" %*"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\shell	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\shell\runas	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\shell\runas\command	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\ = "ntdriver"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\shell\runas\command	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\shell\runas	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\DefaultIcon	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\shell\runas\command\ = "\"%1\" %*"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\shell\open	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\shell\open\command	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\DefaultIcon	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\DefaultIcon\ = "%1"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\shell\open\command	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\winit32.exe\" /START \"%1\" %*"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\shell\open	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\ = "Application"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\ntdriver\Content-Type = "application/x-msdownload"	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2892	winit32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2892	2236	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe	28
PID 2236 wrote to memory of 2892	2236	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe	28
PID 2236 wrote to memory of 2892	2236	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe	28
PID 2236 wrote to memory of 2892	2236	2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe	28
PID 2892 wrote to memory of 2336	2892	winit32.exe	29
PID 2892 wrote to memory of 2336	2892	winit32.exe	29
PID 2892 wrote to memory of 2336	2892	winit32.exe	29
PID 2892 wrote to memory of 2336	2892	winit32.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_20a4040bbaeaaf9fc3ad097bf4931ba8_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe

Filesize
250KB

MD5
2815539dcfc24da5803ef045ae6141b5

SHA1
6ab8bf824759d71aba1d51c231707c9c8728999a

SHA256
0f290af7ad7cb50e2d45e98cc3c7c14eebed82db89ed1ba432a5fe039607f07f

SHA512
6074594d81ba2acc2b7c10947693121084c380cd8c3702cb6b88dfab719dfe6b7b2d90e00fd19e1d4c8368c3f489418bf79705155d039ae45ecc7e4683eb46b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe

Filesize
295KB

MD5
c2e028b5855026adc4a4be9329d1abcd

SHA1
ad1a0ec3ff715c948db4e539b79583d85d36b80b

SHA256
3c0fa59884579d2e6ece2fa1df3896e35c0238b4b337de6609265c9ed002dc9a

SHA512
ec055810418df80269ff5563ab20bca1f64efc5cdfcb6326f7cc5855707db6ef0c425954bc716ecb92ee48fe162a5ba46e6f36b5fccf62eeef5795b45744d2c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe

Filesize
61KB

MD5
8212076178c779094ed6fa9b0457d7c1

SHA1
19f7eae523ef18581ad3aea8fb339f3ad691e46b

SHA256
978023e4331e24744633e2ec8484ae302e801c4d60eb38b617343455558bd8ff

SHA512
65e3892899fc75ce43ff293a958584c86decd68cee66088c10ba1f7e6a43e4c725f6c1b9871dd35bb579e7714fb8ab96c3d5fa308f5e3d0f33ce81b9f42f36d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe

Filesize
109KB

MD5
6e661494ac9e48e853b641b176918fa0

SHA1
4e761430a02af6c60f5b01cb96196682afda27be

SHA256
e171e1a38bb1f9737cff20628f4452564b449e1cf1f21c8466e5fd5c7e31a4cb

SHA512
08cc04c2037882758745586d430719735a8821588c57c73c139dbb88d2e16f4418b7639b4d688e3d433484525f845ddc74c1bf790fd6ea33618773b0473e5310

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe

Filesize
251KB

MD5
5fb6979ce4e1d371d74b465af1141108

SHA1
cc61f044fffc17ae9c00e053ede3e53f1ac0531c

SHA256
f02999dec4e68e99b300b45413d015d7507b8a4cd142fe39ebab552ad37aec18

SHA512
e16693291df266993ba50d576828620cd26162ad9c0b069d8e7aefcad3990870c4234c3db2a3ddf217613a68edffcc4a57e03b6ce3120f1c0ad85917a331d756

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe

Filesize
224KB

MD5
b030bd37720e4b61abe8fc6530abf0e1

SHA1
a0e0cc98e3a566d8116400265672f93a827bece0

SHA256
d937d6c47096065d8f0ecf22568ea8ca7994ad436d0c4cdd877943c0f198f92a

SHA512
728a0eba5d560aec32b6214dbaf26003b098479902b66579c7c437d7e39ccad394811ce7aa3a30ca176e6cd8d08ef2f31fc1a1de2ba18fcf9701ab496a8ae0ec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe

Filesize
215KB

MD5
e5f207d712a9eb8e29acb61d29a928a2

SHA1
5a2d06d48df887c4a5c6b9eba10add5f88ec179d

SHA256
3b598739e1b62404fc12d9dc5b8510f8220501e13fb9e55ff942f1ac7deff34d

SHA512
cd9c070abadfbd6df4b2e96ae0df68b475d8e048de7c3a9d2ca3c5af6b9a70c83f71f412faa88d6bbed62b4ca2daaab9017c039eed2a2b1c41e7598b316af31d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SView\winit32.exe

Filesize
227KB

MD5
2eb8643290030705b8d973f11d1d4bd4

SHA1
a362468c771746b86517e8229cdfb595cadb7533

SHA256
b82a6241b2528f3d6beef4c799095cf06d3b9ab3ec8bbf8445255a45731e85f9

SHA512
16aec6954e0f5fd5833383acd1ab27b78fe923c6e366cc6c219525641e97de347e49fa8f0b59280968f87a916d0b0d430f0e154b100b24221d11820fab2da4a4

Download Submit