c279dc535ca7613ddd953e57160071b4bac622d8906f462c54f3e4d860cbefde

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Size

280KB
MD5

341ca8f4f65d95c6049e22e90771b44c
SHA1

d29c448b1a9f23f78164e6da5c1bda276aad5dee
SHA256

c279dc535ca7613ddd953e57160071b4bac622d8906f462c54f3e4d860cbefde
SHA512

2d479b8b4d367f0fcf6f6a176bfd042e99c5312b4cd8ffdd33ba8e3cb4986d360235beaa67d8cce4139b39137689e69895cba5028d0c02912dfb14e75685dcd4
SSDEEP

6144:7Tz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:7TBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2752	SearchIndexerDB.exe
2712	SearchIndexerDB.exe

Loads dropped DLL 4 IoCs

pid	Process
1700	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
1700	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
1700	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
2752	SearchIndexerDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\DefaultIcon	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\shell\open	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\shell\open\command	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\SearchIndexerDB.exe\" /START \"%1\" %*"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\shell\runas\command	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\ = "cmos"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\SearchIndexerDB.exe\" /START \"%1\" %*"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\shell	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\shell\runas	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\DefaultIcon	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\Content-Type = "application/x-msdownload"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\DefaultIcon\ = "%1"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\shell\runas\command\ = "\"%1\" %*"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open\command	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas\command	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\ = "Application"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\cmos\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2752	SearchIndexerDB.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2752	1700	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe	28
PID 1700 wrote to memory of 2752	1700	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe	28
PID 1700 wrote to memory of 2752	1700	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe	28
PID 1700 wrote to memory of 2752	1700	2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe	28
PID 2752 wrote to memory of 2712	2752	SearchIndexerDB.exe	29
PID 2752 wrote to memory of 2712	2752	SearchIndexerDB.exe	29
PID 2752 wrote to memory of 2712	2752	SearchIndexerDB.exe	29
PID 2752 wrote to memory of 2712	2752	SearchIndexerDB.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_341ca8f4f65d95c6049e22e90771b44c_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe"
    3⤵
    - Executes dropped EXE
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe

Filesize
280KB

MD5
8233a6d810fce402361fd9d130543073

SHA1
5f78bf9997484490a067edb5f4dc110e905f6b95

SHA256
244aeefb0f532c57ae505df42d85cd49d80fe824919a912a69ba258d98d68db4

SHA512
08f3448e6cd7ea63ec733a29aa891c14c3e2942ac4438b036375790e93858676d84a19473502736e4cd9bb12b1dce61238a3e28e6eff4054cae4cd67d5251c8c

Download Submit