Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 17:46
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe
-
Size
327KB
-
MD5
4ba5800cf09bd91c4a18512fefdb60eb
-
SHA1
b820c7f57cc7e4728f91cc3a9c19c8163a44356f
-
SHA256
c2a1526dd574293fc7d7ea835b9a14a53fbc91df3b18bf7e652bb668677c7642
-
SHA512
4a6557de8d0316ad1136b89d6c368e7dc3faf82e63bdece25bc5d838e139205a808e6c7cdb7759b41565a9f2235f7b6a611244fd0637436f7c3371e3b6cab32f
-
SSDEEP
6144:82+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:82TFafJiHCWBWPMjVWrXK0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe -
Executes dropped EXE 2 IoCs
pid Process 3084 taskhostsys.exe 2812 taskhostsys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\shell\open\command NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\taskhostsys.exe\" /START \"%1\" %*" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\shell\runas\command NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\DefaultIcon NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\Content-Type = "application/x-msdownload" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\shell NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\shell\open NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\ = "jitc" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\DefaultIcon\ = "%1" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\DefaultIcon\ = "%1" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\shell NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\shell\runas NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\taskhostsys.exe\" /START \"%1\" %*" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\DefaultIcon NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\shell\open NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\Content-Type = "application/x-msdownload" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\shell\open\command NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\ = "Application" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\shell\runas NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\shell\runas\command NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*" NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3084 taskhostsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4184 wrote to memory of 3084 4184 NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe 84 PID 4184 wrote to memory of 3084 4184 NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe 84 PID 4184 wrote to memory of 3084 4184 NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe 84 PID 3084 wrote to memory of 2812 3084 taskhostsys.exe 85 PID 3084 wrote to memory of 2812 3084 taskhostsys.exe 85 PID 3084 wrote to memory of 2812 3084 taskhostsys.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_4ba5800cf09bd91c4a18512fefdb60eb_mafia_nionspy_JC.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe"3⤵
- Executes dropped EXE
PID:2812
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD5496451a536fde05a63d0897b728af1a5
SHA11c362227278ea665e99c25e37dfee4b385e37798
SHA2565ea6332373d28ed7347a45126ea6c347853737683e7e378571268ad98fade9aa
SHA5127f8f889c4f8a0e8181911d8c99ea09b41bf3d2b76abc4ea7235be995865f883880fbe14f14444f71be332b68afc0b905b12a9b446568256cd328fdb886a9392c
-
Filesize
327KB
MD5496451a536fde05a63d0897b728af1a5
SHA11c362227278ea665e99c25e37dfee4b385e37798
SHA2565ea6332373d28ed7347a45126ea6c347853737683e7e378571268ad98fade9aa
SHA5127f8f889c4f8a0e8181911d8c99ea09b41bf3d2b76abc4ea7235be995865f883880fbe14f14444f71be332b68afc0b905b12a9b446568256cd328fdb886a9392c
-
Filesize
327KB
MD5496451a536fde05a63d0897b728af1a5
SHA11c362227278ea665e99c25e37dfee4b385e37798
SHA2565ea6332373d28ed7347a45126ea6c347853737683e7e378571268ad98fade9aa
SHA5127f8f889c4f8a0e8181911d8c99ea09b41bf3d2b76abc4ea7235be995865f883880fbe14f14444f71be332b68afc0b905b12a9b446568256cd328fdb886a9392c
-
Filesize
327KB
MD5496451a536fde05a63d0897b728af1a5
SHA11c362227278ea665e99c25e37dfee4b385e37798
SHA2565ea6332373d28ed7347a45126ea6c347853737683e7e378571268ad98fade9aa
SHA5127f8f889c4f8a0e8181911d8c99ea09b41bf3d2b76abc4ea7235be995865f883880fbe14f14444f71be332b68afc0b905b12a9b446568256cd328fdb886a9392c