ca1384bf83adb3145db6a9e84ccc2bc4183fbb4f73838f0e0fe29b5d957ec6c2

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 08:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Size

327KB
MD5

fbccb1d83609254faa16b1b81e84a927
SHA1

1c9f5371af96b7dd1b1471b555f6ad7201626434
SHA256

ca1384bf83adb3145db6a9e84ccc2bc4183fbb4f73838f0e0fe29b5d957ec6c2
SHA512

f5ea29d011d7dd5234ef5aa514e428b03732f41aab42f2014ee12bd55b35067aedd8f72dbb63bbd28c7d5613a228966f2b8905e1d1fbfc8094c9dd55af5098c0
SSDEEP

6144:U2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:U2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2180	dwmsys.exe
2008	dwmsys.exe

Loads dropped DLL 4 IoCs

pid	Process
2340	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
2340	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
2340	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
2180	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\shell\open\command	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\shell\runas	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\ = "Application"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\DefaultIcon\ = "%1"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\shell	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\shell\runas\command	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\shell\open	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\ = "systemui"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\systemui\DefaultIcon	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2180	2340	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe	28
PID 2340 wrote to memory of 2180	2340	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe	28
PID 2340 wrote to memory of 2180	2340	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe	28
PID 2340 wrote to memory of 2180	2340	2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe	28
PID 2180 wrote to memory of 2008	2180	dwmsys.exe	29
PID 2180 wrote to memory of 2008	2180	dwmsys.exe	29
PID 2180 wrote to memory of 2008	2180	dwmsys.exe	29
PID 2180 wrote to memory of 2008	2180	dwmsys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_fbccb1d83609254faa16b1b81e84a927_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
327KB

MD5
5873a13ca2609c7f3531f194fa3dde5f

SHA1
7ef8af0e40d7aa54ffcfc4a0a59ea7ab37ee4127

SHA256
ad755c707cbe3cf254b7b27a6b4f46317f865c96478433553fa1be96eb9cc65b

SHA512
c8869565b09ee50ace633ec613c3497e72fedd765a67c6bf65f4871918da6abcd0fb84f44e7b7164981e6fceb92f7343e4bf68b1cf0ac9f155b58734e05bb05c

Download Submit