c7cb37f520a26d281b77bfc6a9877b5e145fa1f1a543b120bca7074b3d8e7e34

General

Target

2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Size

280KB
MD5

1b6da1de4478aef3642caa2169fe9a89
SHA1

97bac0043df18ac47181855d375fe79df57fa854
SHA256

c7cb37f520a26d281b77bfc6a9877b5e145fa1f1a543b120bca7074b3d8e7e34
SHA512

4f7a1a084ee591091fc6308836d13b32371dc7265f624d9653c56e14defb2e16f6def2f0acb380b3caa70b57262f4e32c40d27e634135f61ec0d2855569a8d76
SSDEEP

6144:oTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:oTBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

sidebar2.exesidebar2.exe

pid process

2764 sidebar2.exe
2020 sidebar2.exe

pid	process
2764	sidebar2.exe
2020	sidebar2.exe

Loads dropped DLL 4 IoCs

Processes:

2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exesidebar2.exe

pid	process
3048	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
3048	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
3048	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
2764	sidebar2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

Processes:

2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\ = "Application"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\runas\command\ = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\open	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\Content-Type = "application/x-msdownload"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\DefaultIcon	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\open\command	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\sidebar2.exe\" /START \"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\runas	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\sidebar2.exe\" /START \"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\DefaultIcon\ = "%1"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\runas\command	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\ = "prochost"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sidebar2.exe

description pid process

Token: SeIncBasePriorityPrivilege 2764 sidebar2.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2764	sidebar2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exesidebar2.exe

description	pid	process	target process
PID 3048 wrote to memory of 2764	3048	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe	sidebar2.exe
PID 3048 wrote to memory of 2764	3048	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe	sidebar2.exe
PID 3048 wrote to memory of 2764	3048	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe	sidebar2.exe
PID 3048 wrote to memory of 2764	3048	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe	sidebar2.exe
PID 2764 wrote to memory of 2020	2764	sidebar2.exe	sidebar2.exe
PID 2764 wrote to memory of 2020	2764	sidebar2.exe	sidebar2.exe
PID 2764 wrote to memory of 2020	2764	sidebar2.exe	sidebar2.exe
PID 2764 wrote to memory of 2020	2764	sidebar2.exe	sidebar2.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe"
3⤵
- Executes dropped EXE
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Posix\sidebar2.exe
Filesize
280KB

MD5
5dab48708d17b20488a4f28e8061a90b

SHA1
764946c4c91934f0b03f733a350e4a5326e20ffe

SHA256
fe46e252d33217aa3e0e3a859790a227a3f28bf02451dbc48cb20707c1d25f52

SHA512
074161f79b4f1ca55ee98f8fe12dfd97daab75ea38be1e3024c1110dfee36821f31aef3aba8c793c19924eff2dc57fc29afc202b3b65a1fa973c72075b1f2169

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads