d54d35bfdc2cf48b6441ee7d817bf7aacc77f1dd4e77164a382b6818a09f647b

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Size

274KB
MD5

e030af86c6c0e1f49ac82345fdedd728
SHA1

5e596f283d7d07c2252efcd50a02920b4f0f3da1
SHA256

d54d35bfdc2cf48b6441ee7d817bf7aacc77f1dd4e77164a382b6818a09f647b
SHA512

b5a2f5fadf3d2d1b9c71d5f8ee9b3e765a9f43555f6d375fb1a01b5e52183b717cbece1e0e66d4528bafb34ee0101811f0eec16f70afc09d053aa9f9d22bd555
SSDEEP

6144:2YvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:2YvEbrUjp3SpWggd3JBPlPDIQ3g

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\shell	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\taskhostsys.exe\" /START \"%1\" %*"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\Content-Type = "application/x-msdownload"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\shell\runas\command\ = "\"%1\" %*"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\ = "Application"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\taskhostsys.exe\" /START \"%1\" %*"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\shell\open\command	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\shell\open	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\ = "jitc"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\DefaultIcon	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\shell\runas	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\DefaultIcon\ = "%1"	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\jitc\shell\runas\command	2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_e030af86c6c0e1f49ac82345fdedd728_mafia_nionspy.exe"
1⤵
- Modifies registry class
PID:1660
- C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
  2⤵
  PID:2580
- - C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
    3⤵
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe

Filesize
274KB

MD5
e067b622b576c0d7c718b6d5a3409a45

SHA1
ddf5f8a0a76965cce41ebea77e4895e7424e31aa

SHA256
f88f26e5c14c30e2111e4d62a1619f2c2abdf5bcfee1e37c9aa989bd7d33ee4c

SHA512
d699d6f1793600a1ef40fde2578bb1c3a586187b6f271861fb52e7a1987d33c35d33fd4b8169efd76f6a0284ad804c77fd32b3c005386de018d37b78c0f481da

Download Submit