f5dd34524047402933fed607c651e7e14915de85b583facd34963463d87398d7

Analysis

max time kernel
127s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Size

344KB
MD5

633ad425ddc58837512be320b09df64b
SHA1

b9eda4cc02dcd38091fbc8c1d0b501bff1152284
SHA256

f5dd34524047402933fed607c651e7e14915de85b583facd34963463d87398d7
SHA512

913d14e9955829466dad37cc54568cf0697ec5b216381a7cc4ce87d2bff45084784b52100954688f504ddc6a2358b36aa11255ed989eaade04f88e47c5ae2410
SSDEEP

6144:jTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:jTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
2324	wlogon32.exe
2904	wlogon32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\shell\runas\command	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\shell\open\command	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\wlogon32.exe\" /START \"%1\" %*"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\ = "haldriver"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\wlogon32.exe\" /START \"%1\" %*"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\shell\open\command	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\ = "Application"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\DefaultIcon\ = "%1"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\shell\runas	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\shell	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\shell\runas\command	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\shell\open	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\DefaultIcon	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\DefaultIcon	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\shell	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\shell\open	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\haldriver\shell\runas	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2324	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2324	216	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe	85
PID 216 wrote to memory of 2324	216	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe	85
PID 216 wrote to memory of 2324	216	2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe	85
PID 2324 wrote to memory of 2904	2324	wlogon32.exe	86
PID 2324 wrote to memory of 2904	2324	wlogon32.exe	86
PID 2324 wrote to memory of 2904	2324	wlogon32.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_633ad425ddc58837512be320b09df64b_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe"
    3⤵
    - Executes dropped EXE
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\wlogon32.exe

Filesize
344KB

MD5
eb9f1cb879e1f253d1168d210e4a5462

SHA1
c68ad246804670effd3d490e2d7b2d9d022e7e6c

SHA256
fa4013607878643459a26652041dc4d51c8cdb493d6c1ebaa7a67ef9e4490603

SHA512
ef87def3345b7e9a6eaca9c89d0c25107ebd0cf34c7c3862bce34ea10c5e893398b611271bdde7cc751b645c149018ff3f865575ad0cbddd3191865d3a3e1ec6

Download Submit