54bc04a065390bb26b50545b30d90bdf43a4ad8188346257094e194f505deac3

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Size

327KB
MD5

bb5ff3182739cf9b196117e76c809e25
SHA1

c2a7f97da376c1aa99f4296c3dc752352af4d1ad
SHA256

54bc04a065390bb26b50545b30d90bdf43a4ad8188346257094e194f505deac3
SHA512

e58131c8272b1151b9ff8afb9592acf1efa6e6e446fef9fc9806528ac951cb7738e41a0ca524ac948223a5337668520575849f58238f26f1757639d8b6a79b35
SSDEEP

6144:S2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:S2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1996	sidebar2.exe
2768	sidebar2.exe

Loads dropped DLL 3 IoCs

pid	Process
1732	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
1732	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
1732	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas\command	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\DefaultIcon	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\Content-Type = "application/x-msdownload"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\ = "prochost"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open\command	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\shell\open\command	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\shell	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\ = "Application"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\shell\open	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\sidebar2.exe\" /START \"%1\" %*"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\shell\runas\command	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\shell\runas	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\DefaultIcon	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\DefaultIcon\ = "%1"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\prochost\shell\runas\command\ = "\"%1\" %*"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\sidebar2.exe\" /START \"%1\" %*"	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1996	sidebar2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1996	1732	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe	28
PID 1732 wrote to memory of 1996	1732	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe	28
PID 1732 wrote to memory of 1996	1732	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe	28
PID 1732 wrote to memory of 1996	1732	2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe	28
PID 1996 wrote to memory of 2768	1996	sidebar2.exe	29
PID 1996 wrote to memory of 2768	1996	sidebar2.exe	29
PID 1996 wrote to memory of 2768	1996	sidebar2.exe	29
PID 1996 wrote to memory of 2768	1996	sidebar2.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_bb5ff3182739cf9b196117e76c809e25_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe"
    3⤵
    - Executes dropped EXE
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe

Filesize
327KB

MD5
ac2e1f23e4e8c3cc1cf9a90a75729c85

SHA1
ca515e240478976b6e9e8de427043808180b1c0b

SHA256
5df6539bb12b868323001f11bf22cb8bcab77a492fe4a867d5480309ab4a9f7f

SHA512
f966a1119a3f875a7ad77ec9c489cc22934d14961207cba90acd77c0c8da1a3498c25caa1edb0475e77bb9e20434c90f6a15046a3fad3f6cf91ed4dd3e79f5ea

Download Submit