1254185056f708c61f7d142f2515818d76684216567f9d46704a9b0f8ec875ca

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Size

328KB
MD5

d1c0721bfccd7fd761e2860587cafa8d
SHA1

05318669bf9031d2704ae436bea971db5daddeca
SHA256

1254185056f708c61f7d142f2515818d76684216567f9d46704a9b0f8ec875ca
SHA512

096f30bc3e078073c3da82aebdf73a74e91dd43830f4637ff1d4f481e7a24c79503bedacf3a719760498fccb71ab3835aaceb0eb0a1017f2cc93885b6caf51db
SSDEEP

6144:n2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:n2TFafJiHCWBWPMjVWrXf1v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2836	winit32.exe
3028	winit32.exe

Loads dropped DLL 4 IoCs

pid	Process
2232	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
2232	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
2232	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
2836	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\DefaultIcon	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\shell\runas\command\ = "\"%1\" %*"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\Content-Type = "application/x-msdownload"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\shell\open	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\winit32.exe\" /START \"%1\" %*"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\shell\open\command	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\ = "Application"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\DefaultIcon\ = "%1"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\ = "ntdriver"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\shell\open	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\winit32.exe\" /START \"%1\" %*"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\shell\runas	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\shell	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\shell\runas	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\shell\open\command	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\shell\runas\command	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\shell	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.exe\shell\runas\command	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ntdriver\DefaultIcon	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2836	winit32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2836	2232	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe	28
PID 2232 wrote to memory of 2836	2232	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe	28
PID 2232 wrote to memory of 2836	2232	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe	28
PID 2232 wrote to memory of 2836	2232	2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe	28
PID 2836 wrote to memory of 3028	2836	winit32.exe	29
PID 2836 wrote to memory of 3028	2836	winit32.exe	29
PID 2836 wrote to memory of 3028	2836	winit32.exe	29
PID 2836 wrote to memory of 3028	2836	winit32.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_d1c0721bfccd7fd761e2860587cafa8d_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

Filesize
171KB

MD5
ddd18026ed851c63c088e781e40a3159

SHA1
f8814d3575b620400c292b9f3de7acbcfe1612e8

SHA256
c8815a68367b89b40d836681e85899f9b1eead3ba7e74572aced42fc6a57b15b

SHA512
d4ff9e2518d144b5120891073df40faf87df7771ad64f76428c248a9735763173fa2362272d09b0007b92b30054a6b4349eeae94d83607327d139ab24aaf4e8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

Filesize
178KB

MD5
dcfc6e827dceb1d1b2e515e70b1d12dc

SHA1
660330a851c9dcf90206f1eab90073b4ab1f4112

SHA256
28c28bb285940def386075c2e3f91f8d6d25c9ed3798d8171cc0b69efd447ffe

SHA512
779eeb742f8a5cb1e3c9b8a2bb3b05d95694565a3015ce3c65723b1f5d637e147756b999f89e3f49abd228f86513e6cc39250b77679bd79f20648de7716fafaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

Filesize
236KB

MD5
f97bb7c44913ce30603e10800674ba48

SHA1
19ca13a22ec1c63fbf490c13db6283f8a40aee66

SHA256
5328da9e42526447b78951b2e0c31513f40504e571bae65ac077d2a504e0cef7

SHA512
6f4d00fe3ba9c7d6b05c1492ae9052d37f1a2590f4839f440e5a92c789d439a0d68dee8dbaa95721b790574e6b24b411dbc996aa87e1ad492fe0df16ee55bea6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

Filesize
328KB

MD5
87b8f2dbb31e0429df235cc5e33bfc07

SHA1
e44ad14856865c087d6e6092fb66c3dfce1fee8a

SHA256
91fc133c7825a6bde4e7c39ce3dabb976809bb153c5c7ff46425b5c81e2a4bcd

SHA512
5abcc00ff245f610ac76dd688ed5a0cd8264bfadb3b9d1838468ef06765bc1fd417155008fe5b074b97384395f9e2b1eb62000a1cbc6394a8f44405867d5165f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

Filesize
316KB

MD5
df7924ffd7f3aa87476dbd735ca98b7d

SHA1
17a9216c82713748e7207ae5ffebc6020dd388bd

SHA256
548c21aaeb5dece34cd61a300b2af9b910401b836ed075ea36c03dfff7dd50bc

SHA512
71e9d1a6d655fc35734a65bde8a6875f5e7a47c9464f3dc6442396abb8bbad6b6eb03377e92d4b9ce30a46c7733cbd5e6bd8c6ac9caa1a6901e61d58bc65326b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

Filesize
193KB

MD5
396f18b2aba2f5ccf4be9563ac82d5cb

SHA1
d04e37381ebfad8899d4cc146f6626e0fef084d9

SHA256
952059e32371ba22c9dbf91c3522546c49428997404f39718f40c64ef6d20f5c

SHA512
9ee2a3e797af436ee67fd917b4a6093b9293a985962c2fc2b6ef156bb0aa032b0dadbfb6a59326d6c309a3f8ada98a9307b07832f6d8ae2e50c72ac6154d0d5c

Download Submit