9488557b48f89bf068b106f0ec329e8761cc736f742916380d771f05f3ac83c3

Analysis

max time kernel
122s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 01:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Size

327KB
MD5

5122529815fbaa316255966e87becab6
SHA1

9ebb8604e0222b8d0aed7c151314666e7468bbc8
SHA256

9488557b48f89bf068b106f0ec329e8761cc736f742916380d771f05f3ac83c3
SHA512

bf9c7db7434f21a2c6c4dc0973c7b8d43cf865bc690c8d084d609b828fcb2dd31e88fd12c5bae32d711bd1192e3af866d4ee2d8a29a1caaf672b4ac6f3099313
SSDEEP

6144:p2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:p2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2720	sidebar2.exe
2764	sidebar2.exe

Loads dropped DLL 3 IoCs

pid	Process
2956	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
2956	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
2956	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\shell	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\shell\runas\command\ = "\"%1\" %*"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\Content-Type = "application/x-msdownload"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\DefaultIcon\ = "%1"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\shell\open\command	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\shell\open	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\shell\runas\command	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\ = "prochost"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas\command	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\DefaultIcon	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\sidebar2.exe\" /START \"%1\" %*"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\shell\runas	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open\command	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\ = "Application"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\DefaultIcon	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\sidebar2.exe\" /START \"%1\" %*"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2720	sidebar2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2720	2956	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe	28
PID 2956 wrote to memory of 2720	2956	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe	28
PID 2956 wrote to memory of 2720	2956	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe	28
PID 2956 wrote to memory of 2720	2956	2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe	28
PID 2720 wrote to memory of 2764	2720	sidebar2.exe	29
PID 2720 wrote to memory of 2764	2720	sidebar2.exe	29
PID 2720 wrote to memory of 2764	2720	sidebar2.exe	29
PID 2720 wrote to memory of 2764	2720	sidebar2.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_5122529815fbaa316255966e87becab6_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe"
    3⤵
    - Executes dropped EXE
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe

Filesize
327KB

MD5
d789c9bb72ea4e9bb3c2b0a9f441a2f4

SHA1
a65c428a770c18e0fbe1a4ed3535de3eab28a782

SHA256
2b6c540e9933cadf23029e0884cca8507a76ff2377898d8901f621d99c54f998

SHA512
7c579258d9359f4309642ae0047273b7dc019f5a82740d2360a20bfc25eee6d81c689c7286583dd13c4bca8918f5faf84b7fa8d57715ccf2d41cda2c97ceca94

Download Submit