b2d3fb18356743551625d90118dab6ea1b8cec5ab8322186b6d3e6229f00385f

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Size

288KB
MD5

e9c76dcdde1b2f564767c5a9cbf8848f
SHA1

4f78c6c6e28abe87516d786a28465edd01db55c1
SHA256

b2d3fb18356743551625d90118dab6ea1b8cec5ab8322186b6d3e6229f00385f
SHA512

45fc7f480e9dc3af138488b540d79fb82454553bb750be424ff4caa74dbae3bca60caecd11d4bd34330b78d3011d890cf1becfc2fdc75cc9f74e5337dfd597ed
SSDEEP

6144:XQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:XQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
3084	SearchIndexerDB.exe
3344	SearchIndexerDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\Content-Type = "application/x-msdownload"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\shell\runas\command	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\ = "Application"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\DefaultIcon\ = "%1"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\shell\runas\command	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\shell\runas	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\shell\runas\command\ = "\"%1\" %*"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\Content-Type = "application/x-msdownload"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\shell	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\shell\open\command\IsolatedCommand = "\"%1\" %*"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\shell	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\shell\open	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\DefaultIcon\ = "%1"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\shell\open\command	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\shell\runas\command\IsolatedCommand = "\"%1\" %*"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\DefaultIcon	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\SearchIndexerDB.exe\" /START \"%1\" %*"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\SearchIndexerDB.exe\" /START \"%1\" %*"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\DefaultIcon	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\shell\open	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\cmos\shell\runas	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\ = "cmos"	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\.exe\shell\open\command	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3084	SearchIndexerDB.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 3084	3440	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe	83
PID 3440 wrote to memory of 3084	3440	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe	83
PID 3440 wrote to memory of 3084	3440	e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe	83
PID 3084 wrote to memory of 3344	3084	SearchIndexerDB.exe	84
PID 3084 wrote to memory of 3344	3084	SearchIndexerDB.exe	84
PID 3084 wrote to memory of 3344	3084	SearchIndexerDB.exe	84

C:\Users\Admin\AppData\Local\Temp\e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e9c76dcdde1b2f564767c5a9cbf8848f_mafia_nionspy_JC.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe"
    3⤵
    - Executes dropped EXE
    PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe

Filesize
288KB

MD5
59fbe4616dae3883503ce0a4a96e0426

SHA1
b02795bade00cd1282b20c5e2f33039941857f67

SHA256
6d90f1ee1f06c0718cea47aa9ba70f1e5bfa000c52e1a91a93a4d9238894d4fb

SHA512
60579466521cbde9b1d71cfb5f4c64bce6133134deedd93196e1ccd9540d2b8c4a7c2ec79a0ce7b1b0d96229b1056d13535bb53f32b78be83a7dde7fef0f251a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe

Filesize
288KB

MD5
59fbe4616dae3883503ce0a4a96e0426

SHA1
b02795bade00cd1282b20c5e2f33039941857f67

SHA256
6d90f1ee1f06c0718cea47aa9ba70f1e5bfa000c52e1a91a93a4d9238894d4fb

SHA512
60579466521cbde9b1d71cfb5f4c64bce6133134deedd93196e1ccd9540d2b8c4a7c2ec79a0ce7b1b0d96229b1056d13535bb53f32b78be83a7dde7fef0f251a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe

Filesize
288KB

MD5
59fbe4616dae3883503ce0a4a96e0426

SHA1
b02795bade00cd1282b20c5e2f33039941857f67

SHA256
6d90f1ee1f06c0718cea47aa9ba70f1e5bfa000c52e1a91a93a4d9238894d4fb

SHA512
60579466521cbde9b1d71cfb5f4c64bce6133134deedd93196e1ccd9540d2b8c4a7c2ec79a0ce7b1b0d96229b1056d13535bb53f32b78be83a7dde7fef0f251a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\SearchIndexerDB.exe

Filesize
288KB

MD5
59fbe4616dae3883503ce0a4a96e0426

SHA1
b02795bade00cd1282b20c5e2f33039941857f67

SHA256
6d90f1ee1f06c0718cea47aa9ba70f1e5bfa000c52e1a91a93a4d9238894d4fb

SHA512
60579466521cbde9b1d71cfb5f4c64bce6133134deedd93196e1ccd9540d2b8c4a7c2ec79a0ce7b1b0d96229b1056d13535bb53f32b78be83a7dde7fef0f251a

Download Submit