9363fc7a67fd6de266c0638fa9d12f0fe591983b70a3375899bf8562dfcdc024

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Size

328KB
MD5

9db761b8da4c4dbd08cb8ee4aa80a199
SHA1

d898b58bf7b606c1c508eeadee83db047f051129
SHA256

9363fc7a67fd6de266c0638fa9d12f0fe591983b70a3375899bf8562dfcdc024
SHA512

3970f24c0512b9fd39d7573b87bdc3a18945b2439cd68bd4f58cacaab9bc7bead584f8a18c1a3b764c1f8a7192cdec901871c7a1e832d6e4b50ea1535b2af432
SSDEEP

6144:z2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:z2TFafJiHCWBWPMjVWrXf1v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2748	dwmsys.exe
2888	dwmsys.exe

Loads dropped DLL 4 IoCs

pid	Process
1320	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
1320	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
1320	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
2748	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\ = "systemui"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\shell\open	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\shell\runas\command	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\DefaultIcon	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\DefaultIcon\ = "%1"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\shell	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\DefaultIcon	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open\command	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas\command	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\ = "Application"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\shell\open\command	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\dwmsys.exe\" /START \"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\dwmsys.exe\" /START \"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\systemui\shell\runas	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2748	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2748	1320	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe	28
PID 1320 wrote to memory of 2748	1320	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe	28
PID 1320 wrote to memory of 2748	1320	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe	28
PID 1320 wrote to memory of 2748	1320	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe	28
PID 2748 wrote to memory of 2888	2748	dwmsys.exe	29
PID 2748 wrote to memory of 2888	2748	dwmsys.exe	29
PID 2748 wrote to memory of 2888	2748	dwmsys.exe	29
PID 2748 wrote to memory of 2888	2748	dwmsys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe

Filesize
328KB

MD5
7198f52ecf773d82452d900f7cec7742

SHA1
df87c6a62bc4f97d1d5e5c4c2952faaa05656b51

SHA256
fdeb4d107e0d5108f4dec3a2c141375fd4d7b15e4d8e902b8e8f61d55972df51

SHA512
72efddfc29f3606310999d7135e18cb1e526d3128c0209c5279d71139d09a48771c49f1bfa3d42c8e506c89a09f5dc56a8fd90564ca50d2ba58a116f344c6c32

Download Submit