da172f3e06a3da04a73b9f0ba9d2236019a969a81254ee60bf033379fc629102

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Size

327KB
MD5

7323d589b391404dcba57a561a702fdb
SHA1

955eebb9085178e7b517f4325585c197d8553894
SHA256

da172f3e06a3da04a73b9f0ba9d2236019a969a81254ee60bf033379fc629102
SHA512

c0842a9915e3e5acf90dd11bf327cca4ce61df649e25934fa57c24711066feca985f34c4e24d10b5528a2ff5df0202d7fcdc6601ae26c269a9e080b4ee23c1a8
SSDEEP

6144:P2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:P2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2716	taskhostsys.exe
2780	taskhostsys.exe

Loads dropped DLL 4 IoCs

pid	Process
1928	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
1928	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
1928	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
2716	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\shell\runas	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\DefaultIcon	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\shell\open\command	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\ = "Application"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\taskhostsys.exe\" /START \"%1\" %*"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\shell\runas\command	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\shell\runas\command\ = "\"%1\" %*"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas\command	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\shell\open	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open\command	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\shell	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\DefaultIcon\ = "%1"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\taskhostsys.exe\" /START \"%1\" %*"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\jitc\Content-Type = "application/x-msdownload"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\DefaultIcon	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\ = "jitc"	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2716	taskhostsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2716	1928	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe	22
PID 1928 wrote to memory of 2716	1928	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe	22
PID 1928 wrote to memory of 2716	1928	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe	22
PID 1928 wrote to memory of 2716	1928	2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe	22
PID 2716 wrote to memory of 2780	2716	taskhostsys.exe	21
PID 2716 wrote to memory of 2780	2716	taskhostsys.exe	21
PID 2716 wrote to memory of 2780	2716	taskhostsys.exe	21
PID 2716 wrote to memory of 2780	2716	taskhostsys.exe	21

C:\Users\Admin\AppData\Local\Temp\2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe"
1⤵
- Executes dropped EXE
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe

Filesize
136KB

MD5
ba2436b71428d9e4309543a612ac373d

SHA1
b162351e7a915dc08439f772c0f3bf409b11c1dc

SHA256
1146a0173b4b6792f79b16d201718f3f8cda4c6e18bba9a9d0615dfe20d38d7b

SHA512
acc5644b313e7e5169f91e091566e838ba99fe4d84d1a7b0b0270eb82886c26318a907235f93a60eb67100de1c8f752c4a3e7091234fad32be6f0f0adc9030a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe

Filesize
128KB

MD5
06638d65be6fb3c44fba0fbb003e2f1a

SHA1
961b08476d4a9f7eeba37b28aad7dac433f0a9cf

SHA256
753c9d71bd4dbdff5c6a91403cc5448d8ae96d29d8e27dc13e7a0e08571c5bde

SHA512
61d5dc77c8ec44e3a4628840af5fbfc882ac7a316060d3fc77b12d78be6b35b8ec7d417c29b7acf6bcbf7871a2cffc50e78d656634d72f6fb541f19f326d9fb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe

Filesize
57KB

MD5
076a7ee92e0e75efcc447e3a42a7754b

SHA1
3bf5e68b62f26c9d132158807c45e01b163b44f2

SHA256
7e84135761a66591ddd40083e61c5bbf6a3be04aeb31027accd02b72d64b25b1

SHA512
2c6d1c558fa69594f92fa19b43427ed9f2464e79db62dd5bc6b8d32beefd8d6c4a56efcbb30d30f455d1374e264bac445ca732bdcf360e0ea6f125ba42c867f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe

Filesize
187KB

MD5
832a7bea17fb6b519c0a0dbb89f6d959

SHA1
80a578484f908fd10de1f06b7db5b1635adbfb51

SHA256
599c4759d8760032aa95a14c16c0d82a33eb01fac451e0c447b1db06115d9ded

SHA512
5ddc965c7b2b5449461bec3fef821b40bc5903d61cc57e8d77d53669fa9e720b03a87f651e223ee25e1efa100d81ee6663d8833a70c25662d44c46427209187f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe

Filesize
115KB

MD5
bdbcfe283903c33b0539c34abe70eb67

SHA1
525e60aeded88a78e999937d5fa51f9664e6ab61

SHA256
180d699a91989f0bdf42f30a692d014ef6e92e8775fcec21506e9dc88b375383

SHA512
1677ea6bb672fd504bfef23b24afca94c116ff0fb89f17aa432764e9bba7f68375fdf86b39a1ecbba8cd658852586e4f65fae2eafdd62c356ce1d018752fcb03

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe

Filesize
142KB

MD5
4953bd9799337ee3d48b0e6e61e93057

SHA1
788dc2398a8ea069853c3bebe63d11fbecab83dc

SHA256
6bfcfc25f7b8c22f150dff14e55661b65f0d1e2d7712c6babacecaef2f4084e5

SHA512
19f021d59198cd4f20559d86548fb498ef9a943533f797636114a92912ddbc4cb2ef8ac1d4a3c19c8f135f0c0087ec015fac77d2d442448e2b022c1fea10c566

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe

Filesize
92KB

MD5
7984df2534fc8b8cdb20c9c6ec48fc2d

SHA1
99ab5bb38f4e02ed8a6545b038a0156463665f69

SHA256
2743729dba527df3dbceee446502a18c33d31069b9d5a10081bc91aca1bcf031

SHA512
2fa235b4ad86a97dcd516cd718af70b948232a91731cbd6d9e86cff983e547810f1f86111e10597c6ec2313411fa0436b3ddfd79e543c62a18a9a65e5c90533a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\taskhostsys.exe

Filesize
31KB

MD5
71a876112f97af8cea2310237184247d

SHA1
6c1d5b28bf87364a0a2f7c7f7b4296356daf27b7

SHA256
4e8cbd813df9c049f71f1de45488d189a1fd424336f94efa3f92f65415530974

SHA512
de7537c75fd0ee6bb3c8c6205218939ba962c37a982609f1f5b6dddeb6d38d9cbcd124a74686f94826578d6bf9c9e3412f9c6e419d18dc7b9988701f7fe9c462

Download Submit