18813f12b08e0527334d93ed319674fa6f82c60a46a48893a4c38cf7f7150994

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 14:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Size

327KB
MD5

961872f150210f72ae42a17f898d76c6
SHA1

9a1281268b894f8280e1ce27b5becb8935920949
SHA256

18813f12b08e0527334d93ed319674fa6f82c60a46a48893a4c38cf7f7150994
SHA512

9bef1f095ac83e376b95d348513dd1b6592b2ff7573e3098e65245781755fb9288ef06d2de789c1b6e41474241957d05bee4d5877abd2be3eebcb1418dd3333f
SSDEEP

6144:N2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDpmv:N2TFafJiHCWBWPMjVWrXKcmv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2992	taskhostsys.exe
2524	taskhostsys.exe

Loads dropped DLL 4 IoCs

pid	Process
2024	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
2024	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
2024	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
2992	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\taskhostsys.exe\" /START \"%1\" %*"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\DefaultIcon	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\shell\runas\command	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\shell\runas	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\shell\runas\command\ = "\"%1\" %*"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\shell\open\command	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\taskhostsys.exe\" /START \"%1\" %*"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\Content-Type = "application/x-msdownload"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\shell	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\ = "jitc"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\open	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\ = "Application"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\DefaultIcon	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\DefaultIcon\ = "%1"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\shell\open	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2992	taskhostsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2992	2024	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe	28
PID 2024 wrote to memory of 2992	2024	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe	28
PID 2024 wrote to memory of 2992	2024	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe	28
PID 2024 wrote to memory of 2992	2024	2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe	28
PID 2992 wrote to memory of 2524	2992	taskhostsys.exe	29
PID 2992 wrote to memory of 2524	2992	taskhostsys.exe	29
PID 2992 wrote to memory of 2524	2992	taskhostsys.exe	29
PID 2992 wrote to memory of 2524	2992	taskhostsys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_961872f150210f72ae42a17f898d76c6_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
327KB

MD5
943143784f660869cd36aedeeedfea85

SHA1
5d5e06d2f210563accdb1b2c9e511bd3e9d8e699

SHA256
a05148290135aaea04344511da5c67e5225f4ae782655c5af9179beed336b1da

SHA512
d8ff56a82c459ac8b54cb6ea943087b67830c3999d6d2917d2aad1e07c4195f28abd1921caea66f324339ccac949b3d07b72825eca347692f66773b50dde4b7f

Download Submit
memory/2024-0-0x0000000000D70000-0x0000000000DC7000-memory.dmp

Filesize
348KB

Download
memory/2992-20-0x00000000011F0000-0x0000000001247000-memory.dmp

Filesize
348KB

Download