a34f9a3526581b2e00a52e5aac304c5d90acfc990fd398a4d52d564ff97ad665

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Size

344KB
MD5

07f8d8e35c6c58d189387594be4a800d
SHA1

b6123a73865864af5f9e56856920ef55ed4cd726
SHA256

a34f9a3526581b2e00a52e5aac304c5d90acfc990fd398a4d52d564ff97ad665
SHA512

6674c541dab7d8f7943c23d2fcdf82cca485f898fa2516f01ab6a17120aafc7ac6f83d7f05c27211c143b89d8d83cb99d120c27c1b8349945cf465eb9f9c0a3e
SSDEEP

6144:UTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:UTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2632	lsassys.exe
2068	lsassys.exe

Loads dropped DLL 4 IoCs

pid	Process
1288	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
1288	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
1288	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
2632	lsassys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\ = "halnt"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\ = "Application"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\shell\open	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\lsassys.exe\" /START \"%1\" %*"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\shell\runas\command	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\DefaultIcon\ = "%1"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\shell\runas\command\ = "\"%1\" %*"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\DefaultIcon	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\DefaultIcon	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\shell\runas	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\runas\command	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\Content-Type = "application/x-msdownload"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\shell\open\command	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\halnt\shell	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open\command	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\lsassys.exe\" /START \"%1\" %*"	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2632	lsassys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2632	1288	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe	28
PID 1288 wrote to memory of 2632	1288	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe	28
PID 1288 wrote to memory of 2632	1288	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe	28
PID 1288 wrote to memory of 2632	1288	2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe	28
PID 2632 wrote to memory of 2068	2632	lsassys.exe	29
PID 2632 wrote to memory of 2068	2632	lsassys.exe	29
PID 2632 wrote to memory of 2068	2632	lsassys.exe	29
PID 2632 wrote to memory of 2068	2632	lsassys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_07f8d8e35c6c58d189387594be4a800d_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe"
    3⤵
    - Executes dropped EXE
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\lsassys.exe

Filesize
344KB

MD5
ddbf7391800d8306dadc4b7924804e04

SHA1
fa53a61d97ee48bfa533e90761e31684f5b0b149

SHA256
faa7153e3c805e62ad136244547963187192aad7afab0d2cdf133fc7bce44692

SHA512
bca8bfeb8316b14089430edf6c5db7e6997198e802967c06e52f69dc1b28564bc4dfe60467433aebc7c503123a05fc92a3ca7398856f247a90f126dda21d4010

Download Submit