c40270c58f156449d7159100da63292f30af3e9e80b8e1161da5c1775044c559

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Size

280KB
MD5

c5f60ca8ff8ebd2a112a86f9291406ee
SHA1

914fa9dbbd738b0bd85a3ea39f2c74009cfdd8b1
SHA256

c40270c58f156449d7159100da63292f30af3e9e80b8e1161da5c1775044c559
SHA512

810242010d04549892c536c34ab8f68b7255c095fc9ef98284a488bab67b713b39550c46bc39843d5c24ed77cc2966554e0c849dfeb4036804a1504f86b52dc9
SSDEEP

6144:JTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:JTBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
1624	wlogon32.exe
2404	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\shell\open\command	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\shell\open	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\DefaultIcon\ = "%1"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\shell\runas	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\ = "Application"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\DefaultIcon	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\shell	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\ = "haldriver"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open\command	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas\command	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\haldriver\shell\runas\command	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*"	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\DefaultIcon	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1624	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1624	3532	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe	89
PID 3532 wrote to memory of 1624	3532	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe	89
PID 3532 wrote to memory of 1624	3532	2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe	89
PID 1624 wrote to memory of 2404	1624	wlogon32.exe	90
PID 1624 wrote to memory of 2404	1624	wlogon32.exe	90
PID 1624 wrote to memory of 2404	1624	wlogon32.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_c5f60ca8ff8ebd2a112a86f9291406ee_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

Filesize
280KB

MD5
3191580dc6e7fec776bddea0783910aa

SHA1
2cfcb00d1c9a064148182a49772c09e5a299db3d

SHA256
83a8e570deca55d64c37c07d0102eb99a2f19b6c9c9077218291fd037b554346

SHA512
453db66962068d1e2eb618327b832f3be733d8e0b05ef878590d7937f85824a77361315071b7458e956d4ef779db23b2b3b4027793f60eadea6322425b7284fb

Download Submit