533fcbfc2d38a4d930166b79fef955ef0e0b215ddfa2cd4156a393b3974af91d

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 22:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Size

274KB
MD5

4bcc3d9f50c8bfc13ca16517773aaecc
SHA1

9653b2b058a6531cb900851f890f9e5a808df315
SHA256

533fcbfc2d38a4d930166b79fef955ef0e0b215ddfa2cd4156a393b3974af91d
SHA512

3f084c92546b02e45fd8f68d3bd7cb73e25e701ae571b8568a76ccdb6582cad8dd6a16dd8505cfd4114d57dd446567820c2820f1680168ead2b5a147f84b399c
SSDEEP

6144:/YvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:/YvEbrUjp3SpWggd3JBPlPDIQ3g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1948	taskhostsys.exe
2580	taskhostsys.exe

Loads dropped DLL 4 IoCs

pid	Process
3028	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
3028	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
3028	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
1948	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\shell	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\shell\runas	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\DefaultIcon\ = "%1"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\Content-Type = "application/x-msdownload"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\shell\runas\command	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\ = "jitc"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\DefaultIcon	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\DefaultIcon	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\open	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\runas	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\shell\open\command	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\shell\runas\command\ = "\"%1\" %*"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\taskhostsys.exe\" /START \"%1\" %*"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\ = "Application"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\runas\command	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\shell\open	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\taskhostsys.exe\" /START \"%1\" %*"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\open\command	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1948	taskhostsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1948	3028	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe	28
PID 3028 wrote to memory of 1948	3028	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe	28
PID 3028 wrote to memory of 1948	3028	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe	28
PID 3028 wrote to memory of 1948	3028	2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe	28
PID 1948 wrote to memory of 2580	1948	taskhostsys.exe	29
PID 1948 wrote to memory of 2580	1948	taskhostsys.exe	29
PID 1948 wrote to memory of 2580	1948	taskhostsys.exe	29
PID 1948 wrote to memory of 2580	1948	taskhostsys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_4bcc3d9f50c8bfc13ca16517773aaecc_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
274KB

MD5
24a92c98129ab52bcf92bf9ccdf5a0eb

SHA1
7bfe97d57cfbb0a4dd938555197414f477ee53f7

SHA256
c64b466856c0aafac2d370eb52852b1a574d139ef9ee4dd690d8072e158f026d

SHA512
4362826c8bf922725b95c7ddcad9f3ec0c895026d87117f9b997af04bd1a764394cdb7b75c76aa1c1b2e3eebce4e7ea45c96a6027090cc4e7feb4caa40a854e0

Download Submit