fe065726a5e71f1aa1c189c7d0294b2f3be7597c3e0a557dfac0a12f2185756c

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Size

327KB
MD5

c2af3fb380f4572646f3d4012e98c8c8
SHA1

dc105eaef28fb9ff44888e8cc5cf88c4114ed681
SHA256

fe065726a5e71f1aa1c189c7d0294b2f3be7597c3e0a557dfac0a12f2185756c
SHA512

e42f4f13cb381cf514d733fcc75b29c17f395d6f6db30ff9fd477b45accbf080730e8ce068f5be6388c0fb2b4da7bdd538ef554f35ee41289eec33329df28897
SSDEEP

6144:N2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:N2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
4824	dwmsys.exe
3940	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\shell\open	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\dwmsys.exe\" /START \"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\shell	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\shell\runas	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\shell\runas\command\ = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\ = "systemui"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\dwmsys.exe\" /START \"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\DefaultIcon	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\ = "Application"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\DefaultIcon\ = "%1"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas\command	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open\command	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\shell\runas\command	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\Content-Type = "application/x-msdownload"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\DefaultIcon	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\systemui\shell\open\command	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4824	dwmsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4824	4676	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe	83
PID 4676 wrote to memory of 4824	4676	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe	83
PID 4676 wrote to memory of 4824	4676	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe	83
PID 4824 wrote to memory of 3940	4824	dwmsys.exe	84
PID 4824 wrote to memory of 3940	4824	dwmsys.exe	84
PID 4824 wrote to memory of 3940	4824	dwmsys.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe

Filesize
327KB

MD5
576fb3e221bff187dccb1f4f4099f21e

SHA1
d6adafb53bc81a0864f2613774e9d5676f49a9db

SHA256
d9160a0ba5b53584f72c1eb3ff104c4d223e5df9a71ce648190b5e8b065ff5ae

SHA512
bf97a20af342471fb3860d7f6c55e76fa49b1409a083ee75cf2d9dfbc7261cc2934d1afa4ff311ee41a7a6a4371fd8f5b9ccbbc845961a61d5e991f9a1ffee52

Download Submit