50db8fd04a704cd0d87fedd8f0e80dba04a404b01a083fbd1cc6608edd00a07e

Analysis

max time kernel
123s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Size

344KB
MD5

8f8ba6f02bc4e8cf335b0fbf9e7e632b
SHA1

82eb07865f2047744bda841568366b0c80d50472
SHA256

50db8fd04a704cd0d87fedd8f0e80dba04a404b01a083fbd1cc6608edd00a07e
SHA512

2cb3f6587bc849905f0a32cae43081b04edcdc62df7aeefe0e533b840de3e22a072fd75bf7dd2653b8f6fff6b891f0fdc61dd32af88427a7e9541f335bde3bce
SSDEEP

6144:8Tz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:8TBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2412	winit32.exe
1892	winit32.exe

Loads dropped DLL 4 IoCs

pid	Process
2368	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
2368	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
2368	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
2412	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\shell\open	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\winit32.exe\" /START \"%1\" %*"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\Content-Type = "application/x-msdownload"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\shell	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\ = "Application"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\DefaultIcon	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\shell\runas\command	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\shell\runas\command\ = "\"%1\" %*"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\ = "ntdriver"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\DefaultIcon\ = "%1"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas\command	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\shell\open\command	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\shell\runas	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\DefaultIcon	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\winit32.exe\" /START \"%1\" %*"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2412	winit32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2412	2368	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe	30
PID 2368 wrote to memory of 2412	2368	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe	30
PID 2368 wrote to memory of 2412	2368	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe	30
PID 2368 wrote to memory of 2412	2368	2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe	30
PID 2412 wrote to memory of 1892	2412	winit32.exe	31
PID 2412 wrote to memory of 1892	2412	winit32.exe	31
PID 2412 wrote to memory of 1892	2412	winit32.exe	31
PID 2412 wrote to memory of 1892	2412	winit32.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_8f8ba6f02bc4e8cf335b0fbf9e7e632b_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe

Filesize
344KB

MD5
3b6bafb780905c7930845b1a1cc10800

SHA1
0cfbb71aa338293cafee96b2b87c18a66b3384c7

SHA256
4ad8cc04d7fdab6601a305d7ff3516122b12044ae3579e3af2ec9d46dfa20b61

SHA512
779bd593f52b4d99b82baf09973cfd6aafc0842887de3989f3206882fad3e52c5584277ae39912eb2c254c151396bccf6a928b2c9f974f391c22968d9c6ba6fb

Download Submit