95708496d31b1e35c7f24e4b6ecf85c7302e8085dd81e18e8c23758a644e68dc

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Size

328KB
MD5

70fd3d85b7231cc03207e56eccd3809c
SHA1

076cf5f3eaa7ea71fc11d8e753d8d7f7ad82ea6a
SHA256

95708496d31b1e35c7f24e4b6ecf85c7302e8085dd81e18e8c23758a644e68dc
SHA512

95826fc08a760c12c70aca8115539249c7905b68776a87e3f382a8b03ae8e932a1d15aa41863c4488c085cb21ae6e2d1da79db3f5656d96e963e31fc45aeafbe
SSDEEP

6144:T2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:T2TFafJiHCWBWPMjVWrXf1v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2460	dwmsys.exe
2776	dwmsys.exe

Loads dropped DLL 4 IoCs

pid	Process
2104	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
2104	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
2104	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
2460	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\shell\open	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\shell\runas	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\ = "Application"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\runas\command	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\shell\runas\command	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\open\command	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\DefaultIcon	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\shell	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\DefaultIcon	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\open	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\ = "systemui"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\runas	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\dwmsys.exe\" /START \"%1\" %*"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\DefaultIcon\ = "%1"	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\systemui\shell\open\command	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2460	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2460	2104	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe	28
PID 2104 wrote to memory of 2460	2104	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe	28
PID 2104 wrote to memory of 2460	2104	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe	28
PID 2104 wrote to memory of 2460	2104	2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe	28
PID 2460 wrote to memory of 2776	2460	dwmsys.exe	29
PID 2460 wrote to memory of 2776	2460	dwmsys.exe	29
PID 2460 wrote to memory of 2776	2460	dwmsys.exe	29
PID 2460 wrote to memory of 2776	2460	dwmsys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_70fd3d85b7231cc03207e56eccd3809c_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\dwmsys.exe

Filesize
328KB

MD5
3493bbe04f895fbe57c9e1a87ca5411f

SHA1
39d4149988b6cfc8bc55838d428217a876422e31

SHA256
170a003b601152925f04c58035a9a240f23b729458d2539c6e771433426c4d41

SHA512
40a130e9d0b95d6dbc9a52c8e38091239292dd344c9a10cd1caad4bf690761db763bcc89b2907dc6de4723346d7d20da5714d66f375fbe363d09fbc672934000

Download Submit