Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 01:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
-
Size
344KB
-
MD5
8f303194505a2d82efc89674946843dd
-
SHA1
02441b79c2d46b6691ca68c1e8d63b5419c74cfd
-
SHA256
e238beefddce71ef690d2c518121dad1cb301de4037cbcc102a24a4948c7ca9a
-
SHA512
ed963cc080382a2f811b8636452a839fa3dcb953f73c0ae18ba9302e7f5972402c2f456fc61b80593c7e920c7fd43b4c7d6499f9381d87dd630ad4e2100d9142
-
SSDEEP
6144:VoTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:qTBPFV0RyWl3h2E+7pYm0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe -
Executes dropped EXE 2 IoCs
pid Process 2136 csrssys.exe 4108 csrssys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\DefaultIcon\ = "%1" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\Content-Type = "application/x-msdownload" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\csrssys.exe\" /START \"%1\" %*" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\csrssys.exe\" /START \"%1\" %*" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\ = "wexplorer" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\Content-Type = "application/x-msdownload" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\ = "Application" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open\command 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\DefaultIcon 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas\command 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas\command\ = "\"%1\" %*" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\DefaultIcon 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\DefaultIcon\ = "%1" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2136 csrssys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 400 wrote to memory of 2136 400 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe 100 PID 400 wrote to memory of 2136 400 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe 100 PID 400 wrote to memory of 2136 400 2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe 100 PID 2136 wrote to memory of 4108 2136 csrssys.exe 101 PID 2136 wrote to memory of 4108 2136 csrssys.exe 101 PID 2136 wrote to memory of 4108 2136 csrssys.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"3⤵
- Executes dropped EXE
PID:4108
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:3128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5729ccd5f465e3e8c53895f88bfcf0cdb
SHA152ffc6623bed44df0f788e8457f44af80b4da611
SHA256de8e32d0a754e4e00571263ecbd6da92604e7706aa7c26d198397d0d9d91da7c
SHA512fabb6493725e5e51a1df097d7559ead54c50f36cb1ab9877e1e411897408b0d1281e9b15c3454af784eabea39fcd11e40bc39f15528d0abe6fbe1f196ebe2c9c
-
Filesize
175KB
MD5599b596a4f2bb7594d5765e6d6956225
SHA1fa745586c2793322d565595373eb2ffad771e557
SHA256df2bc7e4ceb6afc0652f5705403ed54b8c3b67c86a2b1099759ab139549bbbae
SHA5125bdc22994e358c18d474890e1faa15c8a1e9d59336887a1e58520e34f0a3f589ed3400bee06da46c59de6d6db836ec185edd920d8de961f688f6f3ba55d53158