e238beefddce71ef690d2c518121dad1cb301de4037cbcc102a24a4948c7ca9a

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Size

344KB
MD5

8f303194505a2d82efc89674946843dd
SHA1

02441b79c2d46b6691ca68c1e8d63b5419c74cfd
SHA256

e238beefddce71ef690d2c518121dad1cb301de4037cbcc102a24a4948c7ca9a
SHA512

ed963cc080382a2f811b8636452a839fa3dcb953f73c0ae18ba9302e7f5972402c2f456fc61b80593c7e920c7fd43b4c7d6499f9381d87dd630ad4e2100d9142
SSDEEP

6144:VoTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:qTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
2136	csrssys.exe
4108	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\Content-Type = "application/x-msdownload"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\csrssys.exe\" /START \"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\csrssys.exe\" /START \"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\ = "wexplorer"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\ = "Application"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open\command	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\DefaultIcon	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas\command	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\DefaultIcon	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\DefaultIcon\ = "%1"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2136	csrssys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2136	400	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe	100
PID 400 wrote to memory of 2136	400	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe	100
PID 400 wrote to memory of 2136	400	2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe	100
PID 2136 wrote to memory of 4108	2136	csrssys.exe	101
PID 2136 wrote to memory of 4108	2136	csrssys.exe	101
PID 2136 wrote to memory of 4108	2136	csrssys.exe	101

C:\Users\Admin\AppData\Local\Temp\2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"
    3⤵
    - Executes dropped EXE
    PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

Filesize
344KB

MD5
729ccd5f465e3e8c53895f88bfcf0cdb

SHA1
52ffc6623bed44df0f788e8457f44af80b4da611

SHA256
de8e32d0a754e4e00571263ecbd6da92604e7706aa7c26d198397d0d9d91da7c

SHA512
fabb6493725e5e51a1df097d7559ead54c50f36cb1ab9877e1e411897408b0d1281e9b15c3454af784eabea39fcd11e40bc39f15528d0abe6fbe1f196ebe2c9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

Filesize
175KB

MD5
599b596a4f2bb7594d5765e6d6956225

SHA1
fa745586c2793322d565595373eb2ffad771e557

SHA256
df2bc7e4ceb6afc0652f5705403ed54b8c3b67c86a2b1099759ab139549bbbae

SHA512
5bdc22994e358c18d474890e1faa15c8a1e9d59336887a1e58520e34f0a3f589ed3400bee06da46c59de6d6db836ec185edd920d8de961f688f6f3ba55d53158

Download Submit