9e78f8a9aca04f3b5e905f2b88c756e3a468293b8ded688918535045ee68860c

Analysis

max time kernel
123s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Size

274KB
MD5

fee15c8df2f4e2e21308830600808156
SHA1

3b0815b26cbc46863a99790cdf54d58655261bf1
SHA256

9e78f8a9aca04f3b5e905f2b88c756e3a468293b8ded688918535045ee68860c
SHA512

23719b2310b8ee4f6edf82c581fb49f1ce25f8d6e77928533a885489079ac2421b72201cbe8de9497f8d66bff20523ac1cb650086f0becd3d9530759bc9abdbb
SSDEEP

6144:uYvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:uYvEbrUjp3SpWggd3JBPlPDIQ3g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	dwmsys.exe
1552	dwmsys.exe

Loads dropped DLL 4 IoCs

pid	Process
2368	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
2368	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
2368	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
2780	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas\command	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\DefaultIcon	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\shell\open\command	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\DefaultIcon	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\ = "systemui"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\DefaultIcon\ = "%1"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\dwmsys.exe\" /START \"%1\" %*"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\shell\runas\command	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\shell	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\shell\runas	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open\command	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\shell\open	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\systemui\ = "Application"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\dwmsys.exe\" /START \"%1\" %*"	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2780	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2780	2368	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe	30
PID 2368 wrote to memory of 2780	2368	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe	30
PID 2368 wrote to memory of 2780	2368	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe	30
PID 2368 wrote to memory of 2780	2368	2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe	30
PID 2780 wrote to memory of 1552	2780	dwmsys.exe	31
PID 2780 wrote to memory of 1552	2780	dwmsys.exe	31
PID 2780 wrote to memory of 1552	2780	dwmsys.exe	31
PID 2780 wrote to memory of 1552	2780	dwmsys.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-22_fee15c8df2f4e2e21308830600808156_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe

Filesize
274KB

MD5
3da1df09cc5c748810440fefe82e45ad

SHA1
1c3e095416a6eb3ae5054f459642baf7b38f9dbc

SHA256
2df7803a046683cccd144e94f71f50a722ab84ca8c97934464e111771a4924d1

SHA512
195ca25cfa9c66c2e431e2441c8160dd601d2979b05ad650ee7eb7754a8edb9f38a5be73cc4b0b9a5dc23227b3be8497e45ed775ee1b1eefeada2bb4b0abb656

Download Submit