Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2024, 05:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe
-
Size
344KB
-
MD5
54c242885a6aeffd642918a3851b390a
-
SHA1
85133557f19905fc2c886e7e8e1c808f8819971c
-
SHA256
c63db7e699b980a80d6e34f860029e3e5e901312679031b0a07f9706833201b4
-
SHA512
210c10e2157fc039e909dffce260416703f73cf00d256a21f33f74d9cb27db382f0d489d0744b5e2169676c963c4709606ee3fc8ab69667c37ee1a00a09ff2e9
-
SSDEEP
6144:TTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:TTBPFV0RyWl3h2E+7pYm0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe -
Executes dropped EXE 2 IoCs
pid Process 2584 lsassys.exe 1184 lsassys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\ = "Application" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\shell\open\command 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\shell\runas\command\ = "\"%1\" %*" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\runas\command 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\Content-Type = "application/x-msdownload" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\runas 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\DefaultIcon\ = "%1" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\DefaultIcon 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\DefaultIcon 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\shell 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\shell\open 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\open\command 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\lsassys.exe\" /START \"%1\" %*" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\shell\runas 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\shell\runas\command 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\ = "halnt" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\DefaultIcon\ = "%1" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\open 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\lsassys.exe\" /START \"%1\" %*" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\Content-Type = "application/x-msdownload" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2584 lsassys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2584 1152 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe 89 PID 1152 wrote to memory of 2584 1152 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe 89 PID 1152 wrote to memory of 2584 1152 2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe 89 PID 2584 wrote to memory of 1184 2584 lsassys.exe 90 PID 2584 wrote to memory of 1184 2584 lsassys.exe 90 PID 2584 wrote to memory of 1184 2584 lsassys.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-25_54c242885a6aeffd642918a3851b390a_mafia_nionspy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"3⤵
- Executes dropped EXE
PID:1184
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD5c0238ff134caaafc2c885e84f16a87f8
SHA1aedff9d4b18f2445f86905f1dd85a6fd5ae87cb2
SHA256a67d38dfaf2e556639632308688c6143d4d07516465d3e101cb7424fc93cfb8e
SHA5129c30a810d7b3f6b628cef817eba42b5f8afb5184ce0945d81b5ae849ad297c6ce474193e66162e6e5cf8e7ac5e6ee4f63132f8d4d31ef9520d934bba5f3e2d35