7f66f325c7f5d2461252c5a954afa5f98b2d592e909cd47ff1bcc65c6aa6c088

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 15:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Size

280KB
MD5

608d2f879b1def5fe504d5353325abaf
SHA1

1fb4d542862e7e1eb4f2236b92be7275c2a08d88
SHA256

7f66f325c7f5d2461252c5a954afa5f98b2d592e909cd47ff1bcc65c6aa6c088
SHA512

7ff9b20fa684369e00aaa8030fb4740f0eb5ee883a92ea7d21a0f13c64c044b116f73756d6eb6dfb73d5e761718bcbc0bc3c72eaa4c307bf239a9b16e4a29590
SSDEEP

6144:zQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:zQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2496	SearchIndexerDB.exe
2592	SearchIndexerDB.exe

Loads dropped DLL 4 IoCs

pid	Process
1728	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
1728	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
1728	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
2496	SearchIndexerDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\DefaultIcon\ = "%1"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\shell\open\command	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\SearchIndexerDB.exe\" /START \"%1\" %*"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\Content-Type = "application/x-msdownload"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\shell\open	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\SearchIndexerDB.exe\" /START \"%1\" %*"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\shell\runas	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\shell	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\ = "Application"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\DefaultIcon	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\ = "cmos"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\shell\runas\command\ = "\"%1\" %*"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\cmos\shell\runas\command	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2496	SearchIndexerDB.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2496	1728	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe	29
PID 1728 wrote to memory of 2496	1728	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe	29
PID 1728 wrote to memory of 2496	1728	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe	29
PID 1728 wrote to memory of 2496	1728	2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe	29
PID 2496 wrote to memory of 2592	2496	SearchIndexerDB.exe	30
PID 2496 wrote to memory of 2592	2496	SearchIndexerDB.exe	30
PID 2496 wrote to memory of 2592	2496	SearchIndexerDB.exe	30
PID 2496 wrote to memory of 2592	2496	SearchIndexerDB.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_608d2f879b1def5fe504d5353325abaf_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe"
    3⤵
    - Executes dropped EXE
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\SearchIndexerDB.exe

Filesize
280KB

MD5
17c676d04849fc0f992f00c18bf314aa

SHA1
c27df6b25bec27cc637aaf7f19bb7c129e038dc8

SHA256
573d5d1e90c2b36935ec97ea190aa889806dff774d862537f6ed643bc92550eb

SHA512
a342edd0a0dc6a735490831b9032521b8b2b44f7037a7d5b4691a763f0136a743d9064be6519ebc48d8a94ec60d6f5689f07a84301f907b2edbe3b48f5b28ca6

Download Submit