6184945b0968ef84e0f364b4e43f9c2e60c458376da6f6b4534dc4eee249d801

Analysis

max time kernel
121s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 02:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Size

348KB
MD5

cb1fd485a8f39c01a3d32f1f736d9f88
SHA1

c368cd52010d4a42a011986246f377e8bb40a417
SHA256

6184945b0968ef84e0f364b4e43f9c2e60c458376da6f6b4534dc4eee249d801
SHA512

bd85b1994d02423cbc7001e29247ea60fbc87d161e5fbcfe766a8d4b463b22be5626266b93ed3bc9b7eb7de20cb39e401cf50a4f49fd3203b67bbc28cf08e996
SSDEEP

6144:h2+JS2sFZfI8U0obHCW/2a7XQcsPMjVWr289gkPzDhmv:h2TFZfJiHCWBWPMjVWrHfmv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
1960	winit32.exe
628	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\open\command	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\winit32.exe\" /START \"%1\" %*"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\shell\runas\command\ = "\"%1\" %*"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\ = "ntdriver"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\DefaultIcon	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\runas\command	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\Content-Type = "application/x-msdownload"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\shell\open\command	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\ = "Application"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\runas	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\shell\open	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\DefaultIcon\ = "%1"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\open	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\shell\runas	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\shell	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\shell\runas\command	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\winit32.exe\" /START \"%1\" %*"	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\ntdriver\DefaultIcon	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1960	winit32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 1960	428	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe	90
PID 428 wrote to memory of 1960	428	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe	90
PID 428 wrote to memory of 1960	428	2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe	90
PID 1960 wrote to memory of 628	1960	winit32.exe	91
PID 1960 wrote to memory of 628	1960	winit32.exe	91
PID 1960 wrote to memory of 628	1960	winit32.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_cb1fd485a8f39c01a3d32f1f736d9f88_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\winit32.exe

Filesize
348KB

MD5
e00b85b81d3f1a242fad25ea93b45d06

SHA1
b351090c7280558cdb17bf8d809f51f7bb1f5a23

SHA256
67afdf8ffb9fe5ef27d094e24ed59106cc360c8241fb8187b58d4c68fcc7d521

SHA512
f44d5903aa42e558fe417d8d77f16982fa0288b2c26146e9923a2a853ad51c30956a33f4995bad0b840e6ec7b0e4be73871ade7716e01980e3702ca14aae1e92

Download Submit
memory/428-0-0x0000000000EE0000-0x0000000000F3C000-memory.dmp

Filesize
368KB

Download
memory/428-50-0x0000000000EE0000-0x0000000000F3C000-memory.dmp

Filesize
368KB

Download
memory/628-53-0x0000000000BB0000-0x0000000000C0C000-memory.dmp

Filesize
368KB

Download
memory/628-55-0x0000000000BB0000-0x0000000000C0C000-memory.dmp

Filesize
368KB

Download
memory/1960-52-0x0000000000BB0000-0x0000000000C0C000-memory.dmp

Filesize
368KB

Download
memory/1960-54-0x0000000000BB0000-0x0000000000C0C000-memory.dmp

Filesize
368KB

Download