ce262256c6025cb814be9250fb0eb95a6863a4320689e96230beb2451c2a63a3

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Size

280KB
MD5

cf6ba45ed9ec181de54a11395457ddab
SHA1

82eb93a4e9f76bb4606cb78833a335363c4c6207
SHA256

ce262256c6025cb814be9250fb0eb95a6863a4320689e96230beb2451c2a63a3
SHA512

c74e5fa11a2869f2357f0137c803c587978a02cc7fa82cd4e5b30c6ad1be2ccbb9ab569a2481b8512505f82791bb1c889e0f7b39ceb1a7fea5b0375a6d3ea8a2
SSDEEP

6144:rQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:rQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
696	winit32.exe
560	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\ = "Application"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\shell\open	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\shell\runas	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\DefaultIcon\ = "%1"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\shell\runas\command	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\shell\runas	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\DefaultIcon	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\shell	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\DefaultIcon	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\winit32.exe\" /START \"%1\" %*"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\shell\open	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\shell\open\command	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\winit32.exe\" /START \"%1\" %*"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\shell	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\shell\open\command	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\ = "haldriver"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\shell\runas\command	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	696	winit32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 696	4328	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe	90
PID 4328 wrote to memory of 696	4328	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe	90
PID 4328 wrote to memory of 696	4328	2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe	90
PID 696 wrote to memory of 560	696	winit32.exe	91
PID 696 wrote to memory of 560	696	winit32.exe	91
PID 696 wrote to memory of 560	696	winit32.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_cf6ba45ed9ec181de54a11395457ddab_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\winit32.exe

Filesize
280KB

MD5
ebfbcb90496bc23be0b6f0d3b39c4eb1

SHA1
5cb110c4eba841d9b82f2bae405f8674a6576e86

SHA256
ebad8778dfad36efaeaee2ce8a06fb13cbbecae4ce34fc2f902208f9baedb9d6

SHA512
4490a9b1cc99479a1a6c6ecec2a457343b1bcf20522f13d44287673c45f96b2770ba5c811f974a911d1a3a7984d82a9a73c3883b2e8fb2c174e9c64468118841

Download Submit