Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 15:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe
-
Size
288KB
-
MD5
fb4c18480dd15904e8a452f9b3f198c8
-
SHA1
3e2af18484ba0f03a2e7f312100fd6da5760661e
-
SHA256
f375f846f74202c26c8c98f67d6270d37eb401375d455af0d502f14fb9ad2869
-
SHA512
90b0ea5c6c2ef445545f40b4da6ba3d90899934ff00ee0e50b55cfa8272aa45cae93cdce63b69a9a44523493a50cdb48ff199556b707594de03083409b608995
-
SSDEEP
6144:cQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:cQMyfmNFHfnWfhLZVHmOog
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe -
Executes dropped EXE 2 IoCs
Processes:
winit32.exewinit32.exepid process 3648 winit32.exe 3216 winit32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
Processes:
2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\Content-Type = "application/x-msdownload" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\DefaultIcon 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\ = "ntdriver" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\DefaultIcon\ = "%1" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\shell\runas 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\ = "Application" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\winit32.exe\" /START \"%1\" %*" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\shell\runas\command 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\shell\open\command 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\shell 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\DefaultIcon\ = "%1" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\shell\open\command 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\shell 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\winit32.exe\" /START \"%1\" %*" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\shell\open 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\shell\runas 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\Content-Type = "application/x-msdownload" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\DefaultIcon 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver\shell\runas\command\ = "\"%1\" %*" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\shell\open 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ntdriver 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\shell\runas\command 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winit32.exedescription pid process Token: SeIncBasePriorityPrivilege 3648 winit32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exewinit32.exedescription pid process target process PID 4788 wrote to memory of 3648 4788 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe winit32.exe PID 4788 wrote to memory of 3648 4788 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe winit32.exe PID 4788 wrote to memory of 3648 4788 2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe winit32.exe PID 3648 wrote to memory of 3216 3648 winit32.exe winit32.exe PID 3648 wrote to memory of 3216 3648 winit32.exe winit32.exe PID 3648 wrote to memory of 3216 3648 winit32.exe winit32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_fb4c18480dd15904e8a452f9b3f198c8_mafia_nionspy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exe"3⤵
- Executes dropped EXE
PID:3216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\winit32.exeFilesize
288KB
MD5968e95fbdfb080fee83e71cb237b747d
SHA1db1f5666f03609136347f5ffbae9b6e8a0e233ba
SHA256bf707fa4748cab32b054cd8f2c5f81ec4235595b57c7d1e3db20f7b8c070ad5e
SHA5126493ff4319358e0c4ac7f204ff6d12e3ca304c4a927dea849bdda8d8002e430bb397def409e49a21087599b55e96991800f4b856c258410d6520058bf8104803