50f99d9eee6abf022c0dce5337ed8821713967833ef70e9fa543d93d15a3c42a

Analysis

max time kernel
138s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 18:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Size

288KB
MD5

60423b7325169535934487c2fbccfe31
SHA1

b566a7657c670e1f6cec489f342ddb76945a29ac
SHA256

50f99d9eee6abf022c0dce5337ed8821713967833ef70e9fa543d93d15a3c42a
SHA512

44910cddeaee447ae081fcc2a9b34b80447dab5f623f561fd5efe4b954a4b8cbf99c14839e364ef85d94bc3df858c64f3d62a570034294855660b443088f2929
SSDEEP

6144:nQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:nQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
320	taskhostsys.exe
4724	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\DefaultIcon\ = "%1"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\taskhostsys.exe\" /START \"%1\" %*"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\shell\runas\command	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\shell\open\command	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\shell	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\DefaultIcon	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\taskhostsys.exe\" /START \"%1\" %*"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\shell\runas\command	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\shell\open	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\shell\runas	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\shell\runas	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\DefaultIcon\ = "%1"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\DefaultIcon	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\ = "Application"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\shell\open\command	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\shell	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\.exe\ = "jitc"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\Content-Type = "application/x-msdownload"	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\jitc\shell\open	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	320	taskhostsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 320	1864	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe	87
PID 1864 wrote to memory of 320	1864	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe	87
PID 1864 wrote to memory of 320	1864	2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe	87
PID 320 wrote to memory of 4724	320	taskhostsys.exe	88
PID 320 wrote to memory of 4724	320	taskhostsys.exe	88
PID 320 wrote to memory of 4724	320	taskhostsys.exe	88

C:\Users\Admin\AppData\Local\Temp\2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_60423b7325169535934487c2fbccfe31_mafia_nionspy_JC.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe

Filesize
288KB

MD5
96ab52e12c6f0d123208be672886c976

SHA1
0964fe9386aeecb77c7e30e8a5de24381f40edc5

SHA256
78b1fb572176a6398a1ba19d42c32bd5c09f26a5b326e20425c57be1a4893af4

SHA512
1f1db0c8ec57235f31fd6825383daec6ddba39882ff4f069eee5ebef8e36c450b6bbf81a24f627066340c92bdaf20fa76de1d5e2d95c682e3d56d239ad9987c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe

Filesize
288KB

MD5
96ab52e12c6f0d123208be672886c976

SHA1
0964fe9386aeecb77c7e30e8a5de24381f40edc5

SHA256
78b1fb572176a6398a1ba19d42c32bd5c09f26a5b326e20425c57be1a4893af4

SHA512
1f1db0c8ec57235f31fd6825383daec6ddba39882ff4f069eee5ebef8e36c450b6bbf81a24f627066340c92bdaf20fa76de1d5e2d95c682e3d56d239ad9987c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe

Filesize
288KB

MD5
96ab52e12c6f0d123208be672886c976

SHA1
0964fe9386aeecb77c7e30e8a5de24381f40edc5

SHA256
78b1fb572176a6398a1ba19d42c32bd5c09f26a5b326e20425c57be1a4893af4

SHA512
1f1db0c8ec57235f31fd6825383daec6ddba39882ff4f069eee5ebef8e36c450b6bbf81a24f627066340c92bdaf20fa76de1d5e2d95c682e3d56d239ad9987c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe

Filesize
288KB

MD5
96ab52e12c6f0d123208be672886c976

SHA1
0964fe9386aeecb77c7e30e8a5de24381f40edc5

SHA256
78b1fb572176a6398a1ba19d42c32bd5c09f26a5b326e20425c57be1a4893af4

SHA512
1f1db0c8ec57235f31fd6825383daec6ddba39882ff4f069eee5ebef8e36c450b6bbf81a24f627066340c92bdaf20fa76de1d5e2d95c682e3d56d239ad9987c7

Download Submit