9363fc7a67fd6de266c0638fa9d12f0fe591983b70a3375899bf8562dfcdc024

Analysis

max time kernel
121s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Size

328KB
MD5

9db761b8da4c4dbd08cb8ee4aa80a199
SHA1

d898b58bf7b606c1c508eeadee83db047f051129
SHA256

9363fc7a67fd6de266c0638fa9d12f0fe591983b70a3375899bf8562dfcdc024
SHA512

3970f24c0512b9fd39d7573b87bdc3a18945b2439cd68bd4f58cacaab9bc7bead584f8a18c1a3b764c1f8a7192cdec901871c7a1e832d6e4b50ea1535b2af432
SSDEEP

6144:z2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:z2TFafJiHCWBWPMjVWrXf1v

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
4480	taskhostsys.exe
1256	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\shell\open\command	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\shell	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\shell\runas\command	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\shell\runas	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\shell\open	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\taskhostsys.exe\" /START \"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\shell\runas\command	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\DefaultIcon	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\ = "Application"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\shell\open\command	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\shell\runas	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\Content-Type = "application/x-msdownload"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\shell	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\DefaultIcon	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\DefaultIcon\ = "%1"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\shell\open	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\ = "jitc"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\taskhostsys.exe\" /START \"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4480	taskhostsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4480	3004	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe	85
PID 3004 wrote to memory of 4480	3004	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe	85
PID 3004 wrote to memory of 4480	3004	2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe	85
PID 4480 wrote to memory of 1256	4480	taskhostsys.exe	86
PID 4480 wrote to memory of 1256	4480	taskhostsys.exe	86
PID 4480 wrote to memory of 1256	4480	taskhostsys.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_9db761b8da4c4dbd08cb8ee4aa80a199_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\taskhostsys.exe

Filesize
328KB

MD5
dd8a9b4dba72094e80f4da42fd3ed61e

SHA1
1405a3a30f9917418c5c7262a508842a3a1d6b22

SHA256
b1d6e8a06d55f824860debf0c03ef4fbc0faf062a7cfd11fd3f7f910b8b1af33

SHA512
6ed093b201df548989b256cfa59d500203ff5df5b1b181462edc72b7c1f71c5bcbcdbd3271d79a8ca2b120010771d8e18e3a5bdee26114e0c4d2581cb77c67d2

Download Submit