e238beefddce71ef690d2c518121dad1cb301de4037cbcc102a24a4948c7ca9a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Size

344KB
MD5

8f303194505a2d82efc89674946843dd
SHA1

02441b79c2d46b6691ca68c1e8d63b5419c74cfd
SHA256

e238beefddce71ef690d2c518121dad1cb301de4037cbcc102a24a4948c7ca9a
SHA512

ed963cc080382a2f811b8636452a839fa3dcb953f73c0ae18ba9302e7f5972402c2f456fc61b80593c7e920c7fd43b4c7d6499f9381d87dd630ad4e2100d9142
SSDEEP

6144:VoTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:qTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2604	lsassys.exe
2608	lsassys.exe

Loads dropped DLL 4 IoCs

pid	Process
2168	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
2168	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
2168	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
2604	lsassys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\shell\runas\command	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\DefaultIcon	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\shell\open\command	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\shell\open	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\shell	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\lsassys.exe\" /START \"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\shell\runas	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\shell\runas\command\ = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\lsassys.exe\" /START \"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\ = "halnt"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\ = "Application"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\DefaultIcon	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\DefaultIcon\ = "%1"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\halnt\Content-Type = "application/x-msdownload"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2604	lsassys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2604	2168	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe	28
PID 2168 wrote to memory of 2604	2168	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe	28
PID 2168 wrote to memory of 2604	2168	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe	28
PID 2168 wrote to memory of 2604	2168	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe	28
PID 2604 wrote to memory of 2608	2604	lsassys.exe	29
PID 2604 wrote to memory of 2608	2604	lsassys.exe	29
PID 2604 wrote to memory of 2608	2604	lsassys.exe	29
PID 2604 wrote to memory of 2608	2604	lsassys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe"
    3⤵
    - Executes dropped EXE
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe

Filesize
344KB

MD5
b53c9035c6783439283fd618a53ab00d

SHA1
8b9227c26d927caf9513ec20755014461446e2e6

SHA256
0065838fea1cca0f05ff37a86ea501d947312d26b15e26797c8f5696f8bf9e83

SHA512
78cda0209175e1d82643f784f4816ad0553a4ad46fa8587085f1cf9328f0bf520eae317c4f8ecf222d3e682d1dcddd29b5a8b228f8a5226b61298ebc3b38d361

Download Submit