1c475c3f4259d7f8f3ac0d528909a8acb1960a450593e630765544d0862d62bd

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Size

344KB
MD5

f1c9851207f92c1b27ddfbf6e804b8b6
SHA1

f219921f970f2c24585fd47ce6eb61db2e9963cb
SHA256

1c475c3f4259d7f8f3ac0d528909a8acb1960a450593e630765544d0862d62bd
SHA512

35a2348e8aee532b87a65a544ac066456ba5c92e6637b1c2a148789d21caaf9851602694d2d8e1332d55a93ef87f7e21b8ef542577e28f2176a6e689ae9d8c27
SSDEEP

6144:NTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:NTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
4340	csrssys.exe
412	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\ = "Application"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\shell\runas\command	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\Content-Type = "application/x-msdownload"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\shell	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\DefaultIcon	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\csrssys.exe\" /START \"%1\" %*"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\shell\open\command	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\ = "wexplorer"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\shell	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\shell\runas	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\shell\open\command	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\shell\open	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\shell\runas\command	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\shell\open	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\DefaultIcon	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\DefaultIcon\ = "%1"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\csrssys.exe\" /START \"%1\" %*"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.exe\shell\runas	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4340	csrssys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4340	3888	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe	89
PID 3888 wrote to memory of 4340	3888	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe	89
PID 3888 wrote to memory of 4340	3888	2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe	89
PID 4340 wrote to memory of 412	4340	csrssys.exe	90
PID 4340 wrote to memory of 412	4340	csrssys.exe	90
PID 4340 wrote to memory of 412	4340	csrssys.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_f1c9851207f92c1b27ddfbf6e804b8b6_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe"
    3⤵
    - Executes dropped EXE
    PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
344KB

MD5
2edd9824aab01f80c8e03237c5581e45

SHA1
43c78cbd578b06613848f851808313c3c15c52d2

SHA256
5a8ade91398c96e127315c42643d0a55d4ac54bc11a9ead77e261632f9c13892

SHA512
5c859b6e0f7b732ee3421912fb20da9e1fbb8ad2d2aa97975c49d93bc7956b94b913b5ab95511b70c95a69c37e4028edc5d1c32e79b8a97788560df4ea180291

Download Submit