Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe
-
Size
280KB
-
MD5
8af0a9b33e141b2dffd58800fc02ad83
-
SHA1
4ea588994e0b6ecb2b35c1d8a8b5ee77dad42129
-
SHA256
71e3b0ed0049a94a0e79d10a1238f8eb4081c2537552cc14c7e792a661ad4ebc
-
SHA512
c6e4562860fa2d563a28beba79b70b2761da5a8367b666f131bb9df019992c5fd7b5388ce1312dc4faa928b9202b245bed29eced34c5197a071e106d8492c769
-
SSDEEP
6144:yTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:yTBPFV0RyWl3h2E+7pl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe -
Executes dropped EXE 2 IoCs
Processes:
winit32.exewinit32.exepid process 384 winit32.exe 2492 winit32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
Processes:
2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\shell 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\shell\runas\command 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\shell\runas\command\ = "\"%1\" %*" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\ = "ntdriver" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\DefaultIcon\ = "%1" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\DefaultIcon 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\winit32.exe\" /START \"%1\" %*" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\winit32.exe\" /START \"%1\" %*" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\DefaultIcon 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\DefaultIcon\ = "%1" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\Content-Type = "application/x-msdownload" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\ = "Application" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\shell\open\command 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\Content-Type = "application/x-msdownload" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\shell\open 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ntdriver\shell\runas 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winit32.exedescription pid process Token: SeIncBasePriorityPrivilege 384 winit32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exewinit32.exedescription pid process target process PID 1800 wrote to memory of 384 1800 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe winit32.exe PID 1800 wrote to memory of 384 1800 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe winit32.exe PID 1800 wrote to memory of 384 1800 2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe winit32.exe PID 384 wrote to memory of 2492 384 winit32.exe winit32.exe PID 384 wrote to memory of 2492 384 winit32.exe winit32.exe PID 384 wrote to memory of 2492 384 winit32.exe winit32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-27_8af0a9b33e141b2dffd58800fc02ad83_mafia_nionspy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\winit32.exeFilesize
280KB
MD5731f447b5fa43e65d038eb9c2c022cd6
SHA1e1539bf61b4bd09a51a025a7075caff820633fa7
SHA256bdf0f28389c8b77117ac874557372d8e9261ad15146412893dc6d283883e408d
SHA512bf90f1075168103866e9ebd75753b6f6c523d50db27bbe9c6b24cf8ae52c26afcba3d48362ea8b131c9fd8e997064a58ed3cec7e64d85a1d0cc8a7a6401661ac