9035865a346cc5bb6381a1654fc5caf629c178bbc2341bb0f6cfc0c4fe222d33

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Size

280KB
MD5

fe09d9d0de35a022bbc3afac14a2c20b
SHA1

17c223997edccc51b0c4e742a3c45ab28c3cd03d
SHA256

9035865a346cc5bb6381a1654fc5caf629c178bbc2341bb0f6cfc0c4fe222d33
SHA512

ef32c629db04d0f1dd1cfde0aa1a16154c85b8412fbda3725742b915de4a503f97d1dbd33a13765d7d04957f417f3e6f9fd0969c6d05ee909d8c4372267da6f1
SSDEEP

6144:TTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:TTBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2664	lsassys.exe
2500	lsassys.exe

Loads dropped DLL 4 IoCs

pid	Process
2748	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
2748	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
2748	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
2664	lsassys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\DefaultIcon	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\shell	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\shell\runas	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\ = "halnt"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas\command	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\ = "Application"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\DefaultIcon\ = "%1"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\lsassys.exe\" /START \"%1\" %*"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\shell\runas\command\ = "\"%1\" %*"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\shell\runas\command	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\shell\open	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\DefaultIcon	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\lsassys.exe\" /START \"%1\" %*"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\Content-Type = "application/x-msdownload"	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open\command	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\halnt\shell\open\command	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	lsassys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2664	2748	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe	28
PID 2748 wrote to memory of 2664	2748	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe	28
PID 2748 wrote to memory of 2664	2748	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe	28
PID 2748 wrote to memory of 2664	2748	2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe	28
PID 2664 wrote to memory of 2500	2664	lsassys.exe	29
PID 2664 wrote to memory of 2500	2664	lsassys.exe	29
PID 2664 wrote to memory of 2500	2664	lsassys.exe	29
PID 2664 wrote to memory of 2500	2664	lsassys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_fe09d9d0de35a022bbc3afac14a2c20b_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe"
    3⤵
    - Executes dropped EXE
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SView\lsassys.exe

Filesize
280KB

MD5
4b2aa7c3149516083201e9ebc1583495

SHA1
5d54350864ff5a7800910407aa29fb030c4a562b

SHA256
5f6dbb9b69e9170557a0dc18ffbbd92a45b758e3f001d03d31c05ae9ee8a22c9

SHA512
2d66f68e0be26f3f0a578e59e52bf954a5057e156862e010e23ddf65835509d6fdd6752e22704024ce23c7fa42f80a99ee5355da7004147cdeec3d367299a1ab

Download Submit