cdc106446e77f16cd0fd9f4c906add2d348faee232605deeaa7c0124d7aba6aa

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Size

288KB
MD5

764fab95abea783200e9af58d0a9ce63
SHA1

760e33316201faacfe1e24ff76a5fac5b7235c43
SHA256

cdc106446e77f16cd0fd9f4c906add2d348faee232605deeaa7c0124d7aba6aa
SHA512

36ee6c5ae0e3149276adb3d85da9e8b4fa2cc39e5da1fb4c15e5b830744df8119930625117cf3abb0148893d81c123a309ce475eb5f8d262044705748ad7babf
SSDEEP

6144:HQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:HQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2576	sidebar2.exe
2832	sidebar2.exe

Loads dropped DLL 4 IoCs

pid	Process
2100	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
2100	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
2100	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
2576	sidebar2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\shell\runas\command\ = "\"%1\" %*"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\DefaultIcon	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\shell\open	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\shell\runas\command	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\DefaultIcon	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\shell\runas	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\sidebar2.exe\" /START \"%1\" %*"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\sidebar2.exe\" /START \"%1\" %*"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\shell\open\command	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\ = "prochost"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\ = "Application"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\shell	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\Content-Type = "application/x-msdownload"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\prochost\DefaultIcon\ = "%1"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2576	sidebar2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2576	2100	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe	28
PID 2100 wrote to memory of 2576	2100	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe	28
PID 2100 wrote to memory of 2576	2100	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe	28
PID 2100 wrote to memory of 2576	2100	2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe	28
PID 2576 wrote to memory of 2832	2576	sidebar2.exe	29
PID 2576 wrote to memory of 2832	2576	sidebar2.exe	29
PID 2576 wrote to memory of 2832	2576	sidebar2.exe	29
PID 2576 wrote to memory of 2832	2576	sidebar2.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-25_764fab95abea783200e9af58d0a9ce63_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe"
    3⤵
    - Executes dropped EXE
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe

Filesize
288KB

MD5
7710ae82ddc293e34d26bb63d4fa0fc7

SHA1
b92b4c4589398201cab48513ef51eedd7c1661c0

SHA256
7f5c5df58d68a4415ff66ff0c85563ba78ff22a2d424f1babc4e5ec65b33dfa8

SHA512
12a3a1dcc2e4e2c943bfb77f4ce8a594d8c455956f9259a0100bdada236fe636043376797c8b8de1d84f360c47ea999a5531bcddf5de7cdf1743072db5969503

Download Submit