a683ca42892015abfce890026163ee73c199a2d602acc00e0e04a3bc71f428ad

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-03-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Size

344KB
MD5

f9f091755ec8e73248248dab8322d626
SHA1

e67c131ba30b9fcc039338a26120903f4481e137
SHA256

a683ca42892015abfce890026163ee73c199a2d602acc00e0e04a3bc71f428ad
SHA512

e6d5c1d6854c11b5be3197f643ef3bffc83af6ad87037a652f72c750d1014934a78b8ae7bbfead86446b08181eb1bb79cd33421c1f78381ea3c3fc05b737a9ad
SSDEEP

6144:+Tz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:+TBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2684	sidebar2.exe
2688	sidebar2.exe

Loads dropped DLL 4 IoCs

pid	Process
2484	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
2484	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
2484	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
2684	sidebar2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\shell\runas	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\DefaultIcon\ = "%1"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\shell\open\command	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\sidebar2.exe\" /START \"%1\" %*"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\shell\open	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\ = "prochost"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\sidebar2.exe\" /START \"%1\" %*"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\Content-Type = "application/x-msdownload"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\DefaultIcon	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\shell	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\shell\runas\command\ = "\"%1\" %*"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\ = "Application"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\shell\runas\command	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2684	sidebar2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2684	2484	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe	28
PID 2484 wrote to memory of 2684	2484	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe	28
PID 2484 wrote to memory of 2684	2484	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe	28
PID 2484 wrote to memory of 2684	2484	2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe	28
PID 2684 wrote to memory of 2688	2684	sidebar2.exe	29
PID 2684 wrote to memory of 2688	2684	sidebar2.exe	29
PID 2684 wrote to memory of 2688	2684	sidebar2.exe	29
PID 2684 wrote to memory of 2688	2684	sidebar2.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-18_f9f091755ec8e73248248dab8322d626_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe"
    3⤵
    - Executes dropped EXE
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe

Filesize
344KB

MD5
20d68f18711d46144f8e828e4dcabbf3

SHA1
dc38ed9bee92a3eafb6dc210418be3274cff5092

SHA256
064f336a2b132b7ee9be69ef367dd575297648a7de32ada02456462330b31f2f

SHA512
81f4bbc9e6cb18efc0e8c09dd90aa578589f4300545d57e14d7c464bccf5377b33e67733530809a5c5a92c4675085b26847916c18dac0085bb91dc1e89e8b46e

Download Submit