9af5ad273818c2150a4b6aea7e13a288dad527a201c699ad8ddd053434bcf4cd

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Size

344KB
MD5

533908b48069551ece9fc9e7d327c82d
SHA1

05b520413c8183e6b2d5660a8a17c561b51c1790
SHA256

9af5ad273818c2150a4b6aea7e13a288dad527a201c699ad8ddd053434bcf4cd
SHA512

c22a02bc3dc5e6ed76e3d084b3597854f335555c0bb9e09a0aca51d997a2958976e6277e348bcd21a1690eb0634b20f7c10d12b2c12e4c8a27d55b08c12168a4
SSDEEP

6144:sTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:sTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2168	dwmsys.exe
2012	dwmsys.exe

Loads dropped DLL 4 IoCs

pid	Process
1636	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
1636	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
1636	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
2168	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\shell\open	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\DefaultIcon\ = "%1"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\shell\runas	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\dwmsys.exe\" /START \"%1\" %*"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\ = "systemui"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\shell	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\shell\runas\command	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\ = "Application"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\shell\open\command	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\DefaultIcon	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\dwmsys.exe\" /START \"%1\" %*"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2168	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2168	1636	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe	28
PID 1636 wrote to memory of 2168	1636	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe	28
PID 1636 wrote to memory of 2168	1636	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe	28
PID 1636 wrote to memory of 2168	1636	2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe	28
PID 2168 wrote to memory of 2012	2168	dwmsys.exe	29
PID 2168 wrote to memory of 2012	2168	dwmsys.exe	29
PID 2168 wrote to memory of 2012	2168	dwmsys.exe	29
PID 2168 wrote to memory of 2012	2168	dwmsys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_533908b48069551ece9fc9e7d327c82d_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe

Filesize
344KB

MD5
ada4adca5bbd3de923b9b9178139880a

SHA1
63243e4de93c102176383a97049b1e98a8b9fa08

SHA256
ecaf1a09b400e08f67b43d9f1f61196f0b1912ba435083e195fc7ee430bc9b48

SHA512
c3823c9505326651f4ff9df44daa810f2849a8f884c32f03561d7c5ef4f7e87613153810bd3b96257b789d32d34c4ed13449a0c992752c05326423debe36aee1

Download Submit