85d691c2d97034d07b34bfaf66f983aaca02970109fbaa986467804f6c65296b

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Size

288KB
MD5

dbb9e553e0a7e20faa71c89596383fe1
SHA1

b34ff40958973922ca790131b95b1ca9648265f7
SHA256

85d691c2d97034d07b34bfaf66f983aaca02970109fbaa986467804f6c65296b
SHA512

b4990fe895042aa6ae3dd29911d304334c1b7fe3f5f85c040309ee71ca5cdb9cde466832307c1c063c2eb5811ba7ad830acc9fa3c89d839b67339150bfae444d
SSDEEP

6144:UQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:UQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	dwmsys.exe
2588	dwmsys.exe

Loads dropped DLL 4 IoCs

pid	Process
2388	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
2388	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
2388	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
2780	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\shell\open\command	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\ = "Application"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\shell	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\ = "systemui"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open\command	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\shell\open	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\DefaultIcon\ = "%1"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\DefaultIcon	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\dwmsys.exe\" /START \"%1\" %*"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\shell\runas\command	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\DefaultIcon	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\shell\runas	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas\command	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\dwmsys.exe\" /START \"%1\" %*"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2780	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2780	2388	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe	28
PID 2388 wrote to memory of 2780	2388	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe	28
PID 2388 wrote to memory of 2780	2388	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe	28
PID 2388 wrote to memory of 2780	2388	2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe	28
PID 2780 wrote to memory of 2588	2780	dwmsys.exe	29
PID 2780 wrote to memory of 2588	2780	dwmsys.exe	29
PID 2780 wrote to memory of 2588	2780	dwmsys.exe	29
PID 2780 wrote to memory of 2588	2780	dwmsys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_dbb9e553e0a7e20faa71c89596383fe1_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe

Filesize
288KB

MD5
149ef02c6dbae407dffb7a87e6610774

SHA1
922f7f71b9a792e541248a2d2a49a2daa66c6678

SHA256
fff2dc56bedb60fe705627f3f7688d087d2995bcdafd3d0ceb51e0675bde5f9c

SHA512
c5174dd86b6f7f097c0c56a6f4eeb23be637738825fd1164a067d08b96b20bc755d6cde761dbf881ecd614a834ff82525d86a2396f9bd555e45a1843b586bea6

Download Submit