Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 07:32 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
Resource
win10v2004-20231222-en
General
-
Target
2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe
-
Size
327KB
-
MD5
7323d589b391404dcba57a561a702fdb
-
SHA1
955eebb9085178e7b517f4325585c197d8553894
-
SHA256
da172f3e06a3da04a73b9f0ba9d2236019a969a81254ee60bf033379fc629102
-
SHA512
c0842a9915e3e5acf90dd11bf327cca4ce61df649e25934fa57c24711066feca985f34c4e24d10b5528a2ff5df0202d7fcdc6601ae26c269a9e080b4ee23c1a8
-
SSDEEP
6144:P2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:P2TFafJiHCWBWPMjVWrXK0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe -
Executes dropped EXE 2 IoCs
pid Process 1888 lsassys.exe 1828 lsassys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\Content-Type = "application/x-msdownload" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\DefaultIcon\ = "%1" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas\command 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\lsassys.exe\" /START \"%1\" %*" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\shell\runas 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\shell\open 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\shell\runas\command\ = "\"%1\" %*" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\lsassys.exe\" /START \"%1\" %*" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open\command 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\Content-Type = "application/x-msdownload" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\DefaultIcon\ = "%1" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\shell\open\command 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\DefaultIcon 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\shell 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\ = "halnt" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\ = "Application" 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\halnt\shell\runas\command 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\DefaultIcon 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1888 lsassys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4808 wrote to memory of 1888 4808 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe 92 PID 4808 wrote to memory of 1888 4808 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe 92 PID 4808 wrote to memory of 1888 4808 2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe 92 PID 1888 wrote to memory of 1828 1888 lsassys.exe 91 PID 1888 wrote to memory of 1828 1888 lsassys.exe 91 PID 1888 wrote to memory of 1828 1888 lsassys.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-28_7323d589b391404dcba57a561a702fdb_mafia_nionspy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"1⤵
- Executes dropped EXE
PID:1828
Network
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301022_10AJDZH059R4K9Z5T&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301022_10AJDZH059R4K9Z5T&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 468644
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C65205CCE6B0441A849EB4A5BAF53477 Ref B: LON04EDGE1110 Ref C: 2024-01-28T07:33:01Z
date: Sun, 28 Jan 2024 07:33:00 GMT
-
Remote address:8.8.8.8:53Requestnwoccs.zapto.orgIN AResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestnwoccs.zapto.orgIN AResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestnwoccs.zapto.orgIN AResponse
-
Remote address:8.8.8.8:53Request173.178.17.96.in-addr.arpaIN PTRResponse173.178.17.96.in-addr.arpaIN PTRa96-17-178-173deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestnwoccs.zapto.orgIN AResponse
-
Remote address:8.8.8.8:53Request180.178.17.96.in-addr.arpaIN PTRResponse180.178.17.96.in-addr.arpaIN PTRa96-17-178-180deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestnwoccs.zapto.orgIN AResponse
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301022_10AJDZH059R4K9Z5T&pid=21.2&w=1920&h=1080&c=4tls, http217.7kB 492.9kB 365 363
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301022_10AJDZH059R4K9Z5T&pid=21.2&w=1920&h=1080&c=4HTTP Response
200
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
62 B 122 B 1 1
DNS Request
nwoccs.zapto.org
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
143 B 288 B 2 2
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
nwoccs.zapto.org
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
nwoccs.zapto.org
-
72 B 137 B 1 1
DNS Request
173.178.17.96.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
nwoccs.zapto.org
-
72 B 137 B 1 1
DNS Request
180.178.17.96.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
nwoccs.zapto.org
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD5fae797bb3f749f2319fa74a7f1773f9f
SHA1c15dc732e7b900828d1b76ee977b968640f8d907
SHA25689513d625da6c538e32718609af33906f766c8742746606493b555c905f11be9
SHA512fc8273ac93cc960e99f5dfe222ac58fa2af311107ca3742d8e41179beaa35d44f6343d2a01ef928722b7af72a324b8480b1d24e5b10efc71d5ebde554d590c13