00371caf883ccdb7812c778730dd92956e75683883b76839649e5832602b0add

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Size

274KB
MD5

0a6f374e4e9c18fa0206731d2882cd10
SHA1

874c8fb1becce92b6d995e5cfb3880f18407f3ca
SHA256

00371caf883ccdb7812c778730dd92956e75683883b76839649e5832602b0add
SHA512

1a4a157034bcce43b8fbf522d14a32369721ca814ab86882d8151e80e08ff92119f4b1d0206a46d0c7c97abe4c7db70f4418ef232c68782de920377b369e1742
SSDEEP

6144:0YvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:0YvEbrUjp3SpWggd3JBPlPDIQ3g

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
1576	taskhostsys.exe
3196	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\shell\runas\command	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\shell\runas	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\shell	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\DefaultIcon\ = "%1"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\shell\runas\command	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\shell\runas	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\DefaultIcon	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\taskhostsys.exe\" /START \"%1\" %*"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\taskhostsys.exe\" /START \"%1\" %*"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\ = "Application"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\shell\open\command	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\shell\open	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\Content-Type = "application/x-msdownload"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\ = "jitc"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\shell\open	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*"	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\.exe\DefaultIcon	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\shell\open\command	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\jitc\shell	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1576	taskhostsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1576	2028	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe	90
PID 2028 wrote to memory of 1576	2028	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe	90
PID 2028 wrote to memory of 1576	2028	2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe	90
PID 1576 wrote to memory of 3196	1576	taskhostsys.exe	91
PID 1576 wrote to memory of 3196	1576	taskhostsys.exe	91
PID 1576 wrote to memory of 3196	1576	taskhostsys.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_0a6f374e4e9c18fa0206731d2882cd10_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\taskhostsys.exe

Filesize
274KB

MD5
0499b1da898c86cf47cfa0e57d47ff09

SHA1
196efc7122cec3e334a3ffaf8fd2c0fd20db40c3

SHA256
330aa375d5449ad542142c3598557a85660c0071b4d42cf754abb7f37a291909

SHA512
f1453ceb2fe3f2529c799a15d588ac20e767712e1e05adf4f49dc954fb9b61d54e0f25ed33f9fecd0dec34472a9aee2d79f272281046820dd6f7ee9d3a75519d

Download Submit