Analysis
-
max time kernel
120s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 10:09
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe
-
Size
280KB
-
MD5
790c93e93ca7b7c3cdc9da3e70dc52cc
-
SHA1
ed5ed0c947e3e0a83432f928acfe0283682912d4
-
SHA256
690c99dbd24a6160a035e6b2aa327ffe21bcc99e4e7afd0e5ec28c1b110b21ae
-
SHA512
28b63296de9403ad8ede4fe80709c51b89c6db5fd14dcaad78a3db36b56c561326af796ba9cc45e7124b9a75239fa612f372ad27dcb154653bc14df4777ea7c5
-
SSDEEP
6144:0Tz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:0TBPFV0RyWl3h2E+7pl
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2720 dwmsys.exe 2696 dwmsys.exe -
Loads dropped DLL 4 IoCs
pid Process 2876 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe 2876 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe 2876 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe 2720 dwmsys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwmsys.exe -
Modifies registry class 28 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open\command 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\DefaultIcon\ = "%1" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\DefaultIcon 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas\command 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open\command 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas\command 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\DefaultIcon 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\Content-Type = "application/x-msdownload" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\ = "systemui" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\ = "Application" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\DefaultIcon\ = "%1" 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2720 dwmsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2720 2876 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe 29 PID 2876 wrote to memory of 2720 2876 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe 29 PID 2876 wrote to memory of 2720 2876 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe 29 PID 2876 wrote to memory of 2720 2876 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe 29 PID 2720 wrote to memory of 2696 2720 dwmsys.exe 30 PID 2720 wrote to memory of 2696 2720 dwmsys.exe 30 PID 2720 wrote to memory of 2696 2720 dwmsys.exe 30 PID 2720 wrote to memory of 2696 2720 dwmsys.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"3⤵
- Executes dropped EXE
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5a3f8cbc0c01d908299e7128d61ca044f
SHA13aaea9dd2f1f37ca0e013a87dc05ec08118813e4
SHA2560133f7f5e45800dd4ca6e13eb91d1fb171a555ac370f6326bda711379ff20649
SHA512f2cad0f5ba348c815698f23d50428bbf364125295482f60af8547023e2fd4b8c80983812c2adb639f1dcd2d1cc1ec1134ce51af674a93cdb2cdc92188c99b966