64b513da9d37614c8eff4155b1711bd4b74ef8cd729e61ca1d2778a00fe3814b

Analysis

max time kernel
135s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Size

280KB
MD5

537316c14eb26a309aa3b11d818e959f
SHA1

8d34a348b1f6ab94105b14ab55680dd6095ca85f
SHA256

64b513da9d37614c8eff4155b1711bd4b74ef8cd729e61ca1d2778a00fe3814b
SHA512

aff8c8c62cd37734aa4d2cc56b39e5b4bbb947c7eff7de5a8bd086f71b262fb726a61d3a3322b02f5fe956fc12325c722d8947fc108488b09fee1b6112aee0f3
SSDEEP

6144:ZQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:ZQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2576	dwmsys.exe
2736	dwmsys.exe

Loads dropped DLL 3 IoCs

pid	Process
1544	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
1544	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
1544	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\shell\runas\command	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\shell\open\command	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\DefaultIcon	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\shell\open	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\shell\open	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\ = "systemui"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\ = "Application"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\shell	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\shell\runas	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\DefaultIcon\ = "%1"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\shell\open\command	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\shell	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\DefaultIcon	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui\shell\runas	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.exe\shell\runas\command	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\systemui	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2576	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2576	1544	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe	27
PID 1544 wrote to memory of 2576	1544	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe	27
PID 1544 wrote to memory of 2576	1544	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe	27
PID 1544 wrote to memory of 2576	1544	2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe	27
PID 2576 wrote to memory of 2736	2576	dwmsys.exe	28
PID 2576 wrote to memory of 2736	2576	dwmsys.exe	28
PID 2576 wrote to memory of 2736	2576	dwmsys.exe	28
PID 2576 wrote to memory of 2736	2576	dwmsys.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_537316c14eb26a309aa3b11d818e959f_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
280KB

MD5
e593e5324f809049cfdeec7812fa4710

SHA1
c4a839683dce60fda3f243fbcfa009085a6082e6

SHA256
c6f09441263fae7890a84eb487c2cef9800102519888baaa119f8a6f0c85ba50

SHA512
457ee07218c82c9a02a1c45b694374e92cde868f76d9a6f9ba85ab1659b8a3b962c17c2bcd0ec9f40519956c97a13a7e124df079a9ef68c1a343e16ca0a0f024

Download Submit