71e3b0ed0049a94a0e79d10a1238f8eb4081c2537552cc14c7e792a661ad4ebc

General

Target

2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Size

280KB
MD5

8af0a9b33e141b2dffd58800fc02ad83
SHA1

4ea588994e0b6ecb2b35c1d8a8b5ee77dad42129
SHA256

71e3b0ed0049a94a0e79d10a1238f8eb4081c2537552cc14c7e792a661ad4ebc
SHA512

c6e4562860fa2d563a28beba79b70b2761da5a8367b666f131bb9df019992c5fd7b5388ce1312dc4faa928b9202b245bed29eced34c5197a071e106d8492c769
SSDEEP

6144:yTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:yTBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

lsassys.exelsassys.exe

pid process

2540 lsassys.exe
2648 lsassys.exe

pid	process
2540	lsassys.exe
2648	lsassys.exe

Loads dropped DLL 3 IoCs

Processes:

2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe

pid	process
1152	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
1152	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
1152	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

Processes:

2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\DefaultIcon\ = "%1"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\shell\runas\command	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\shell\runas\command\ = "\"%1\" %*"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\lsassys.exe\" /START \"%1\" %*"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\Content-Type = "application/x-msdownload"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\shell\open\command	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\shell	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\shell\open	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\ = "Application"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\DefaultIcon	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\shell\runas	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\ = "halnt"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\lsassys.exe\" /START \"%1\" %*"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lsassys.exe

description pid process

Token: SeIncBasePriorityPrivilege 2540 lsassys.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2540	lsassys.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exelsassys.exe

description	pid	process	target process
PID 1152 wrote to memory of 2540	1152	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe	lsassys.exe
PID 1152 wrote to memory of 2540	1152	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe	lsassys.exe
PID 1152 wrote to memory of 2540	1152	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe	lsassys.exe
PID 1152 wrote to memory of 2540	1152	2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe	lsassys.exe
PID 2540 wrote to memory of 2648	2540	lsassys.exe	lsassys.exe
PID 2540 wrote to memory of 2648	2540	lsassys.exe	lsassys.exe
PID 2540 wrote to memory of 2648	2540	lsassys.exe	lsassys.exe
PID 2540 wrote to memory of 2648	2540	lsassys.exe	lsassys.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe"
3⤵
- Executes dropped EXE
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe
Filesize
280KB

MD5
18e3bb20423285971b5a46e0fc0c3214

SHA1
652da7c62a9b832d546b1560fa3c43a1c277ccfe

SHA256
ddce677ac0a59a2ad830e2021e0e335fb2d575ed340403b33de08350fcd175d0

SHA512
16c1088fc98afab5c1faeb947ff181febf051d13c5f5cb312a584dba96648e3d0d059698fc70c96480be05a5adad0f802130b868654e993d8211df03987deeb7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads