Overview

overview

7

Static

static

3

2024-02-24...py.exe

windows7-x64

7

2024-02-24...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 01:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-24_45a0789b3b248196560d2dfb9b778ed3_mafia_nionspy.exe

  • Size

    327KB

  • MD5

    45a0789b3b248196560d2dfb9b778ed3

  • SHA1

    89ad62e9f4e8cb5872e74a3488d8dac4236f7ed7

  • SHA256

    d9de72d39ce82b5c6950cc62dfc12970ab47b7e94a679f999f213abf4218bf3c

  • SHA512

    0de6461bddad1a91631c80a6f14e6403c45eff8727376f537ebd743b5104f0b886367b3a055816edfb8f0ebc3ab69b0488d8ecd7b838bb8eeb44548f7ca514c1

  • SSDEEP

    6144:p2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:p2TFafJiHCWBWPMjVWrXf1v

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-24_45a0789b3b248196560d2dfb9b778ed3_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-24_45a0789b3b248196560d2dfb9b778ed3_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
        3⤵
        • Executes dropped EXE
        PID:4816

Network

  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nwoccs.zapto.org
    taskhostsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2B68B074ACDB62B20A4AA45BAD606327; domain=.bing.com; expires=Thu, 20-Mar-2025 01:34:32 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: CCF6548E7A84458992A8E746D9750017 Ref B: LON04EDGE0817 Ref C: 2024-02-24T01:34:32Z
    date: Sat, 24 Feb 2024 01:34:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2B68B074ACDB62B20A4AA45BAD606327
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=VV_w9aYXD1PJYmHdAmnG6fsuTE5Coq8tHb75ONEBPBs; domain=.bing.com; expires=Thu, 20-Mar-2025 01:34:32 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0D6249C6A4564996B30FA7BD1A6B5667 Ref B: LON04EDGE0817 Ref C: 2024-02-24T01:34:32Z
    date: Sat, 24 Feb 2024 01:34:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2B68B074ACDB62B20A4AA45BAD606327; MSPTC=VV_w9aYXD1PJYmHdAmnG6fsuTE5Coq8tHb75ONEBPBs
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 35359E059D794A81A9B0E17020EDCE7E Ref B: LON04EDGE0817 Ref C: 2024-02-24T01:34:32Z
    date: Sat, 24 Feb 2024 01:34:32 GMT
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nwoccs.zapto.org
    taskhostsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
  • flag-us
    DNS
    105.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.135.221.88.in-addr.arpa
    IN PTR
    Response
    105.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-105deploystaticakamaitechnologiescom
  • flag-us
    DNS
    nwoccs.zapto.org
    taskhostsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    nwoccs.zapto.org
    taskhostsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
  • flag-us
    DNS
    nwoccs.zapto.org
    taskhostsys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=
    tls, http2
    2.0kB
     9.2kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=730bf7a9dc9b4e76b5360f2819fcfa50&localId=w:DE85FF22-0C12-E266-9673-0EBC171C1C82&deviceId=6825825694848287&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    taskhostsys.exe
    62 B
     122 B
     1
    1

    DNS Request

    nwoccs.zapto.org

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     158 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
     106 B
     1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    taskhostsys.exe
    62 B
     122 B
     1
    1

    DNS Request

    nwoccs.zapto.org

  • 8.8.8.8:53
    105.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    105.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    taskhostsys.exe
    62 B
     122 B
     1
    1

    DNS Request

    nwoccs.zapto.org

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    146 B
     144 B
     2
    1

    DNS Request

    240.221.184.93.in-addr.arpa

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    taskhostsys.exe
    62 B
     122 B
     1
    1

    DNS Request

    nwoccs.zapto.org

  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    taskhostsys.exe
    62 B
     122 B
     1
    1

    DNS Request

    nwoccs.zapto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
    Filesize

    327KB

    MD5

    c454bccf4074c1795fcc5e6a86f0e00e

    SHA1

    607358fe057dec52c852d45fe058598277fac7c8

    SHA256

    1edf2ce5ac5179d756746d1685c9264c5004ce6ecd8666d9648bee8d7066a68a

    SHA512

    dad80baf70f2fc99131907198b1fb917bddc60d556cacf0f21104a26e914d5629758e560e3b912bb402024a9b8c7cd597079068cbc9d65f17cfa248e26c3a762

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.