765fb1a400c46c29ec31f14c970c483d379faf4d058b22feff12e92fc209190b

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 19:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Size

288KB
MD5

301c42ab0342864a25d7bdf3701c0c54
SHA1

58ecad6b8d762d2041338975d24203ea0f6c84bc
SHA256

765fb1a400c46c29ec31f14c970c483d379faf4d058b22feff12e92fc209190b
SHA512

0b36d04d9402394dc12a615d0a48baca2c236bc479bc45f304516908652d4b9541a9c27769486e768a112b246ddd4fdae519cc64e05237c96524b08528c17d78
SSDEEP

6144:6Q+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:6QMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
4032	dwmsys.exe
1504	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\shell\open	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\shell\open	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\dwmsys.exe\" /START \"%1\" %*"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\ = "Application"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\shell	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\ = "systemui"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\Local Settings	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\dwmsys.exe\" /START \"%1\" %*"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\DefaultIcon	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\Content-Type = "application/x-msdownload"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\shell	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\shell\runas\command\ = "\"%1\" %*"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\shell\runas\command	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\DefaultIcon	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\shell\runas\command	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\shell\runas	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\DefaultIcon\ = "%1"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\shell\open\command	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\.exe\shell\runas	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\DefaultIcon\ = "%1"	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\systemui\shell\open\command	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4032	dwmsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4032	4104	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe	87
PID 4104 wrote to memory of 4032	4104	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe	87
PID 4104 wrote to memory of 4032	4104	2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe	87
PID 4032 wrote to memory of 1504	4032	dwmsys.exe	88
PID 4032 wrote to memory of 1504	4032	dwmsys.exe	88
PID 4032 wrote to memory of 1504	4032	dwmsys.exe	88

C:\Users\Admin\AppData\Local\Temp\2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-23_301c42ab0342864a25d7bdf3701c0c54_mafia_nionspy_JC.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
e280e9b0668ac9ae700734aab1b4ac7e

SHA1
64559fb19204a7cd04c6093bd300fb7e690f5b69

SHA256
7d3f52f47516f2f30f1edeb3ae5ba9cf575c1904b768dc81bd2a39973ccc209d

SHA512
58740ed5de8da8e6345d1cf6e391a31143197478dd1589562683c33d7a29284ec4bb758385bc0fa77ddeb389049d02655a186ec9ebe3a84c37e912b48d77908d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
e280e9b0668ac9ae700734aab1b4ac7e

SHA1
64559fb19204a7cd04c6093bd300fb7e690f5b69

SHA256
7d3f52f47516f2f30f1edeb3ae5ba9cf575c1904b768dc81bd2a39973ccc209d

SHA512
58740ed5de8da8e6345d1cf6e391a31143197478dd1589562683c33d7a29284ec4bb758385bc0fa77ddeb389049d02655a186ec9ebe3a84c37e912b48d77908d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
e280e9b0668ac9ae700734aab1b4ac7e

SHA1
64559fb19204a7cd04c6093bd300fb7e690f5b69

SHA256
7d3f52f47516f2f30f1edeb3ae5ba9cf575c1904b768dc81bd2a39973ccc209d

SHA512
58740ed5de8da8e6345d1cf6e391a31143197478dd1589562683c33d7a29284ec4bb758385bc0fa77ddeb389049d02655a186ec9ebe3a84c37e912b48d77908d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
e280e9b0668ac9ae700734aab1b4ac7e

SHA1
64559fb19204a7cd04c6093bd300fb7e690f5b69

SHA256
7d3f52f47516f2f30f1edeb3ae5ba9cf575c1904b768dc81bd2a39973ccc209d

SHA512
58740ed5de8da8e6345d1cf6e391a31143197478dd1589562683c33d7a29284ec4bb758385bc0fa77ddeb389049d02655a186ec9ebe3a84c37e912b48d77908d

Download Submit