Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe
-
Size
344KB
-
MD5
02cd08e31c43c91b1fd150562debf20f
-
SHA1
3f0afb4617736bf02ff001f9f9c9ecfe771201b2
-
SHA256
84ea6a35ea9783e3ef5bdfa211da8176d92ccf13ae3c280cbbdd98e4a6353494
-
SHA512
d0e7c70dbe2de95ac22e26169ce0af42987032fc019147480c25c8d85a43294a7b68f1090924330558fefd7739032fc10eaad3da559a95c39ec38bcd77e964eb
-
SSDEEP
6144:kTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:kTBPFV0RyWl3h2E+7pYm0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe -
Executes dropped EXE 2 IoCs
pid Process 4320 sidebar2.exe 1480 sidebar2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\Content-Type = "application/x-msdownload" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\open 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\sidebar2.exe\" /START \"%1\" %*" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\runas 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\runas\command 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\runas\command\ = "\"%1\" %*" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\ = "prochost" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\DefaultIcon 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\DefaultIcon\ = "%1" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open\command 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\DefaultIcon 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\sidebar2.exe\" /START \"%1\" %*" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas\command 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\Content-Type = "application/x-msdownload" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\DefaultIcon\ = "%1" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\open\command 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\ = "Application" 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4320 sidebar2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1768 wrote to memory of 4320 1768 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe 95 PID 1768 wrote to memory of 4320 1768 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe 95 PID 1768 wrote to memory of 4320 1768 2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe 95 PID 4320 wrote to memory of 1480 4320 sidebar2.exe 96 PID 4320 wrote to memory of 1480 4320 sidebar2.exe 96 PID 4320 wrote to memory of 1480 4320 sidebar2.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\sidebar2.exe"3⤵
- Executes dropped EXE
PID:1480
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5ddf3384d81f6b7d620ac983c98ec973a
SHA19ac45848e42ea01f3258876c3156a2dc884d2cc5
SHA256f379b1b88423b2caeda8360d35923bc665ff3a2cc96f2f2ad1ee8bbafa463eb5
SHA51269ac2992751cab17ddc330372a08ca3d2f14f446fbf5869c2c6ec312c79360d4f8669a42de2bea0de9a28c6137b6a72cd024fdf1f0d0bc6bf92bba9cc35afcf6