4fa9aed3ed51e63919eebf16c07ceb3f6e66e51e356ee3e7d880640b8c8782ca

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Size

327KB
MD5

0d655e5eeb4242b1b82c9f41e8359308
SHA1

a231671390775a1560281c3885a8a55b6ea106cd
SHA256

4fa9aed3ed51e63919eebf16c07ceb3f6e66e51e356ee3e7d880640b8c8782ca
SHA512

fea3d9bf66d0d44235cd42d9cfcac50518f985b5e9263233e298d2c16e2c68059432c64cc900cde7891cc16a48053e3373599ec9f879d2acb7f9a0686fb82603
SSDEEP

6144:R2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:R2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
1548	sidebar2.exe
3876	sidebar2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\shell	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\ = "prochost"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\DefaultIcon	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\sidebar2.exe\" /START \"%1\" %*"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\shell\runas	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\shell\runas\command	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\shell\open\command	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\DefaultIcon	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\shell	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\DefaultIcon\ = "%1"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\shell\runas\command\ = "\"%1\" %*"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\shell\open	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\shell\runas	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\ = "Application"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\Content-Type = "application/x-msdownload"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\DefaultIcon\ = "%1"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\prochost\shell\runas\command	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\sidebar2.exe\" /START \"%1\" %*"	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\shell\open\command	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\.exe\shell\open	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1548	sidebar2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1548	2936	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe	85
PID 2936 wrote to memory of 1548	2936	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe	85
PID 2936 wrote to memory of 1548	2936	2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe	85
PID 1548 wrote to memory of 3876	1548	sidebar2.exe	86
PID 1548 wrote to memory of 3876	1548	sidebar2.exe	86
PID 1548 wrote to memory of 3876	1548	sidebar2.exe	86

C:\Users\Admin\AppData\Local\Temp\2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-23_0d655e5eeb4242b1b82c9f41e8359308_mafia_nionspy_JC.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe"
    3⤵
    - Executes dropped EXE
    PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe

Filesize
327KB

MD5
0fd5495517071f9e12ac9a6f2a1689fd

SHA1
aac8edb08cdd99ae2ebe69bab512ee6c86843baf

SHA256
00e6977af9e23b9f67889dfcf6d5ec3b2b2b7fc0173a303251c6739689c129a0

SHA512
8b7a3c0564989b1809a0b6cb69eb402e0e2bb7224d25fee2b39ebcaf168f639eb50eca924a8173ec4e1f73b9877b8e6a17d150305e282d8f940ddce0275e1bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe

Filesize
327KB

MD5
0fd5495517071f9e12ac9a6f2a1689fd

SHA1
aac8edb08cdd99ae2ebe69bab512ee6c86843baf

SHA256
00e6977af9e23b9f67889dfcf6d5ec3b2b2b7fc0173a303251c6739689c129a0

SHA512
8b7a3c0564989b1809a0b6cb69eb402e0e2bb7224d25fee2b39ebcaf168f639eb50eca924a8173ec4e1f73b9877b8e6a17d150305e282d8f940ddce0275e1bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe

Filesize
327KB

MD5
0fd5495517071f9e12ac9a6f2a1689fd

SHA1
aac8edb08cdd99ae2ebe69bab512ee6c86843baf

SHA256
00e6977af9e23b9f67889dfcf6d5ec3b2b2b7fc0173a303251c6739689c129a0

SHA512
8b7a3c0564989b1809a0b6cb69eb402e0e2bb7224d25fee2b39ebcaf168f639eb50eca924a8173ec4e1f73b9877b8e6a17d150305e282d8f940ddce0275e1bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe

Filesize
327KB

MD5
0fd5495517071f9e12ac9a6f2a1689fd

SHA1
aac8edb08cdd99ae2ebe69bab512ee6c86843baf

SHA256
00e6977af9e23b9f67889dfcf6d5ec3b2b2b7fc0173a303251c6739689c129a0

SHA512
8b7a3c0564989b1809a0b6cb69eb402e0e2bb7224d25fee2b39ebcaf168f639eb50eca924a8173ec4e1f73b9877b8e6a17d150305e282d8f940ddce0275e1bde

Download Submit