3b3f5ed3e5c5eaccff06da24d73778f33ba955b930209c0f9ffc2fe9a8068676

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Size

280KB
MD5

dfb58d9b1f1724c49e1d751b12ec7270
SHA1

d97b0bc856d1c4ab225dfa49379192113771b906
SHA256

3b3f5ed3e5c5eaccff06da24d73778f33ba955b930209c0f9ffc2fe9a8068676
SHA512

92662be1f779750ce91bc84e9ee6b04e0fc763b2c1cd64409140037e2b86873a0ff39dce4ed59f9a06f10056eaefaf557802b95f7fb4337f7bc59a83100c2574
SSDEEP

6144:TTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:TTBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
432	taskhostsys.exe
4508	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\DefaultIcon\ = "%1"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\taskhostsys.exe\" /START \"%1\" %*"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\shell\open	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\shell\runas\command	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\shell\open	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\shell\runas	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\shell	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\taskhostsys.exe\" /START \"%1\" %*"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\DefaultIcon	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\shell\open\command	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\shell\runas\command	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\DefaultIcon	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\shell\open\command	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\Content-Type = "application/x-msdownload"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\ = "jitc"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\ = "Application"	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\.exe\shell	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\jitc\shell\runas	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	432	taskhostsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 432	4768	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe	89
PID 4768 wrote to memory of 432	4768	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe	89
PID 4768 wrote to memory of 432	4768	2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe	89
PID 432 wrote to memory of 4508	432	taskhostsys.exe	90
PID 432 wrote to memory of 4508	432	taskhostsys.exe	90
PID 432 wrote to memory of 4508	432	taskhostsys.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_dfb58d9b1f1724c49e1d751b12ec7270_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe

Filesize
280KB

MD5
960aadd1488d1245a9b84506620a722c

SHA1
e4d86a9b959e085425088294ec2a79a09bfa2253

SHA256
8d3bfade4c0009f8309983741ae8d5624fade2a240dcf13bcea8541402328ac2

SHA512
6a33504706dfa39045969fdb8d48486a0c8065128a4b7691cc07dff5ea1a7ccee98807a3d3e64f9a47a2fb98256b57d34d2b56330c009b6062e0999af8a106fb

Download Submit