532d1b3fc5d1460fba28b8b0e7bd19f568df8c817f5bb57dc883689c740d2b11

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Size

288KB
MD5

5e6c86f09982b2ceb085389b1f132924
SHA1

71322dbc725572fc922826bd82f282b1e595ebeb
SHA256

532d1b3fc5d1460fba28b8b0e7bd19f568df8c817f5bb57dc883689c740d2b11
SHA512

758adabdfefb6b950498732668f62074bb5bf2bf64b783676d598b01d4ea3f4986071c2c64ca9f2d6e29adffab346460dccbf29f7936d6fd3dc999e248730ea9
SSDEEP

6144:zQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:zQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2596	SearchIndexerDB.exe
2800	SearchIndexerDB.exe

Loads dropped DLL 4 IoCs

pid	Process
2276	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
2276	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
2276	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
2596	SearchIndexerDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\ = "cmos"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\shell\open	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\SearchIndexerDB.exe\" /START \"%1\" %*"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\shell\open\command	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\shell\runas	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\SearchIndexerDB.exe\" /START \"%1\" %*"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\DefaultIcon\ = "%1"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\shell\runas\command\ = "\"%1\" %*"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\DefaultIcon	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\shell\runas\command	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open\command	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\Content-Type = "application/x-msdownload"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\shell	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\DefaultIcon	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas\command	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos\ = "Application"	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\cmos	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2596	SearchIndexerDB.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2596	2276	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe	28
PID 2276 wrote to memory of 2596	2276	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe	28
PID 2276 wrote to memory of 2596	2276	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe	28
PID 2276 wrote to memory of 2596	2276	2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe	28
PID 2596 wrote to memory of 2800	2596	SearchIndexerDB.exe	29
PID 2596 wrote to memory of 2800	2596	SearchIndexerDB.exe	29
PID 2596 wrote to memory of 2800	2596	SearchIndexerDB.exe	29
PID 2596 wrote to memory of 2800	2596	SearchIndexerDB.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_5e6c86f09982b2ceb085389b1f132924_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\SearchIndexerDB.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\SearchIndexerDB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\SearchIndexerDB.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\SearchIndexerDB.exe"
    3⤵
    - Executes dropped EXE
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Sys32\SearchIndexerDB.exe

Filesize
288KB

MD5
ee103854185898ba320d963f83dc7923

SHA1
b26b86702b82f578f48e04e847765703a0075cb6

SHA256
dd3c4e6492d645d6b816cd5705cab61227fae3392273f0644940b0a45b3ab428

SHA512
37781cdd6e3c1dacbc8c14abd149e5279594cd773216bab8d7458ae2a9fc0ef3ef86a08ae4c94b8ad8635f6de4c6353f8dfb635435de9464ee0c5119c9c681cf

Download Submit