34543a08e10f9ba210092b7473d4e83e34b02883b596f6bcc22bcd4524237644

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Size

327KB
MD5

d5ff4dd8c09d7662bce486eaf1c2c58c
SHA1

0de2703e122024772318bb9d80aa1d096f683b56
SHA256

34543a08e10f9ba210092b7473d4e83e34b02883b596f6bcc22bcd4524237644
SHA512

73b99cbdbccd9199dbc55b693887172dd6a89d47cdd72cb1eb0751817af5c7a605445bd83345009b26f1e38bb91b0c991a5067db56daef1d0049947107d69169
SSDEEP

6144:i2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:i2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
1492	sidebar2.exe
1904	sidebar2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\open\command	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\sidebar2.exe\" /START \"%1\" %*"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\Content-Type = "application/x-msdownload"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\ = "prochost"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\DefaultIcon	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\shell	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\ = "Application"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\shell\runas\command	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\shell\runas	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\shell\open\command	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\shell\open	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\sidebar2.exe\" /START \"%1\" %*"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\open	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\DefaultIcon\ = "%1"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\runas\command	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\runas	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\shell\runas\command\ = "\"%1\" %*"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\prochost\DefaultIcon	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1492	sidebar2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1492	544	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe	90
PID 544 wrote to memory of 1492	544	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe	90
PID 544 wrote to memory of 1492	544	2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe	90
PID 1492 wrote to memory of 1904	1492	sidebar2.exe	91
PID 1492 wrote to memory of 1904	1492	sidebar2.exe	91
PID 1492 wrote to memory of 1904	1492	sidebar2.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-16_d5ff4dd8c09d7662bce486eaf1c2c58c_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe"
    3⤵
    - Executes dropped EXE
    PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\sidebar2.exe

Filesize
327KB

MD5
3c658ee9865cd42609b6612e33a34ef9

SHA1
a7f72ca0c7e563db6d107e1b9ae9e380836ec23d

SHA256
d6afdabb378bb26a18dd1489169e5907a5425c7bc2b8d7841713d47ac1517ea4

SHA512
440a699ee5bcdffe8a6a8b19967f08478e9cb2aa32598b04aa94950f716265d68c7638dbc5667ae4dc9ffc2cc30e2d08b84910b10aab31937e4490abbc8f4b2f

Download Submit