a3e32410a51953f0fda7b1150bd85845b108c64cdbe61d55da31274cb0154313

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 23:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Size

327KB
MD5

7a0c7e18d806e07fa5bc8478ac48048f
SHA1

ff0ffed347d3e283f6162f3bb84420981f3e51af
SHA256

a3e32410a51953f0fda7b1150bd85845b108c64cdbe61d55da31274cb0154313
SHA512

35dc2dad97eb90e2b6b3a56e3df29ba8297f56c7e032281541126be8a3b21e88d65a30aafe0904f73d55a8e743cc190985d94700d18f8d9399657a8de74de4a7
SSDEEP

6144:R2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:R2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
4464	taskhostsys.exe
3852	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\Content-Type = "application/x-msdownload"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\DefaultIcon	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\open\command	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\shell	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\shell\open	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\taskhostsys.exe\" /START \"%1\" %*"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\DefaultIcon\ = "%1"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\shell\open\command	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\runas	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\DefaultIcon	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\shell\runas\command	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\taskhostsys.exe\" /START \"%1\" %*"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\shell\runas	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\open	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\runas\command	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\ = "Application"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\ = "jitc"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4464	taskhostsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 4464	4924	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe	97
PID 4924 wrote to memory of 4464	4924	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe	97
PID 4924 wrote to memory of 4464	4924	2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe	97
PID 4464 wrote to memory of 3852	4464	taskhostsys.exe	98
PID 4464 wrote to memory of 3852	4464	taskhostsys.exe	98
PID 4464 wrote to memory of 3852	4464	taskhostsys.exe	98

C:\Users\Admin\AppData\Local\Temp\2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_7a0c7e18d806e07fa5bc8478ac48048f_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2256,i,9172343514068348080,519219714517961765,262144 --variations-seed-version /prefetch:8
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\taskhostsys.exe

Filesize
327KB

MD5
547b0f3108b81a18ba9d3bc90d28d4ef

SHA1
b3202b883b93433fd3773941d1eef745033f2038

SHA256
af65128d509d0fa40bd0e5bf4577c8f0db2f3628dc17b829f451e0f2930c980b

SHA512
08aa47659caf28811791ef11714019f6a120e458b49c34c21f962de550a61e8b8ed5330f0f2ceb3caaf27c6d93ff840cabe14242d3e86fa4d22c21d0a2d4899b

Download Submit