4112d7e0c3e71141fed161e4f8ad1d3661ad0865e6a77892595b8a8bbca7fffb

Analysis

max time kernel
153s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Size

328KB
MD5

11d57b1121cdb54debbfc7c1059d9425
SHA1

339c7f31bbc17f85dea2e7a2e9dafca72352479b
SHA256

4112d7e0c3e71141fed161e4f8ad1d3661ad0865e6a77892595b8a8bbca7fffb
SHA512

f4ecb99d5a2998434b5cb8914f175699934fe01a5619744b06fe0abdc5c764d46d1706e1aa2dfc1ffb89a3226d152a9609dfee6ed4fae4381515263c32361605
SSDEEP

6144:v2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:v2TFafJiHCWBWPMjVWrXf1v

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
912	wlogon32.exe
4296	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\ = "Application"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\wlogon32.exe\" /START \"%1\" %*"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\shell\open	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\shell\open	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\DefaultIcon	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\DefaultIcon\ = "%1"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\ = "haldriver"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\shell\open\command	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\shell\runas	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\DefaultIcon	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\shell	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\wlogon32.exe\" /START \"%1\" %*"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\shell\runas	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\shell\open\command	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\shell\runas\command	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\shell	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\haldriver\shell\runas\command	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	912	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 912	3104	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe	84
PID 3104 wrote to memory of 912	3104	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe	84
PID 3104 wrote to memory of 912	3104	2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe	84
PID 912 wrote to memory of 4296	912	wlogon32.exe	85
PID 912 wrote to memory of 4296	912	wlogon32.exe	85
PID 912 wrote to memory of 4296	912	wlogon32.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_11d57b1121cdb54debbfc7c1059d9425_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe

Filesize
328KB

MD5
ba14fc1506a5b80212d818974b328810

SHA1
5c34a85537014fda002cbc2e4a9b0f6c01823d03

SHA256
e1a3019f18fd30c8b03cca8bcc3757d3367cb2a65bd5c918eb2d78c24cecac7b

SHA512
8a58a5749c712cc47f8462e1bc4f21bc6780132953ebf3b1817285feed6c76a9aea47b37b9469c20112c3202c474976e227f963e748ee08edf87de11dda03f67

Download Submit