7950a71e2dedb6395e41385694dc531aaa34b56fd331d65da495bc16598779ac

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Size

344KB
MD5

d364fdb270c826587443f2a4bfa2af3d
SHA1

3bffa485b53451d5f4f0a398d352a01480bbffd9
SHA256

7950a71e2dedb6395e41385694dc531aaa34b56fd331d65da495bc16598779ac
SHA512

ab1d19aebaac9abc28a996498b85ab8c8d73228c01534feda978579db6ed7b8c5cb0b6522c48f594a7443c20a16bb8e1f7bc5a0bdacb759a80d01bf148f5f5ae
SSDEEP

6144:fTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:fTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2664	wlogon32.exe
2580	wlogon32.exe

Loads dropped DLL 4 IoCs

pid	Process
2864	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
2864	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
2864	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
2664	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\shell	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\shell\open\command	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\shell\runas\command\ = "\"%1\" %*"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\ = "Application"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\DefaultIcon\ = "%1"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\shell\runas	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\DefaultIcon	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\Content-Type = "application/x-msdownload"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\ = "haldriver"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\shell\open	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\haldriver\shell\runas\command	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	wlogon32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2664	2864	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe	28
PID 2864 wrote to memory of 2664	2864	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe	28
PID 2864 wrote to memory of 2664	2864	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe	28
PID 2864 wrote to memory of 2664	2864	2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe	28
PID 2664 wrote to memory of 2580	2664	wlogon32.exe	29
PID 2664 wrote to memory of 2580	2664	wlogon32.exe	29
PID 2664 wrote to memory of 2580	2664	wlogon32.exe	29
PID 2664 wrote to memory of 2580	2664	wlogon32.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_d364fdb270c826587443f2a4bfa2af3d_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

Filesize
344KB

MD5
e6977961e541eed7aacfed269792a67c

SHA1
c7ff31fb046bf8c17e02a57d5c36e2edbebecc62

SHA256
bd7ea02f4539245ee27c9178ff5232d47f2f57d74abf60b30498603eaa0c6854

SHA512
d563313279472500ab24ec7166d2f63f6f9b9b6deaad3499014a0d293ddebe32fd10b46453ac135a23ed09bb54e0f90086d220d466628d61406dbec275927e53

Download Submit