b75b1b36783f8e09411dbb366e1e1e6936dc6d36339e5dd0baad89e8646d49e1

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 20:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Size

280KB
MD5

e81d376b5a86fa6b49870a9efafc4ffd
SHA1

9cc3cefd965db66e811316ddcf0df2764d9b72e6
SHA256

b75b1b36783f8e09411dbb366e1e1e6936dc6d36339e5dd0baad89e8646d49e1
SHA512

47be397d80bd1d928ebe23c01b8220a2b6779887cdbae07573afaf3129afff7c1cac59fcba61a5a60efa3759bae7a835e3b9b70543a90d6e2833ce23e9b80a4c
SSDEEP

6144:GQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:GQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2892	dwmsys.exe
2616	dwmsys.exe

Loads dropped DLL 3 IoCs

pid	Process
1896	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
1896	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
1896	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open\command	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\shell\open\command	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas\command	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\ = "Application"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\shell\runas\command	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\DefaultIcon	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\shell	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\DefaultIcon	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\DefaultIcon\ = "%1"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\shell\runas	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\systemui\shell\open	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\ = "systemui"	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2892	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2892	1896	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe	28
PID 1896 wrote to memory of 2892	1896	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe	28
PID 1896 wrote to memory of 2892	1896	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe	28
PID 1896 wrote to memory of 2892	1896	2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe	28
PID 2892 wrote to memory of 2616	2892	dwmsys.exe	29
PID 2892 wrote to memory of 2616	2892	dwmsys.exe	29
PID 2892 wrote to memory of 2616	2892	dwmsys.exe	29
PID 2892 wrote to memory of 2616	2892	dwmsys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_e81d376b5a86fa6b49870a9efafc4ffd_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe

Filesize
280KB

MD5
caea9db85a484af69e38d1f157a91e05

SHA1
8f0a6fd1d6c48a92da0a59571446c2166b4d38b2

SHA256
5546fcafca6a4ed16be635315236fe48293edcf4ed822c25862891cabeda6916

SHA512
f2bdc343f3cd90d01590ebe62db19ad232367a523c2d84a0eb9e2710d3148b058212556c5a6b724a8b563aa32c27081bccca5180b0943bbc2eb8cc958684d25f

Download Submit