43ad7b5b98889dde80869c308f806c12eed6dea74d00e44aae00a883c8da455c

General

Target

2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Size

274KB
MD5

e74f9822aa60915ec053281ebb5b1f21
SHA1

a78da3d5873df693d372a142b900de309bf38bfb
SHA256

43ad7b5b98889dde80869c308f806c12eed6dea74d00e44aae00a883c8da455c
SHA512

8910a72fcaaf886da756902636cae2373262fb88575e268a81dda5b9326e3be28086034de9ec5dbaff018c4aff62889f46f48e7dd9035fda83da6c4676737642
SSDEEP

6144:KYvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:KYvEbrUjp3SpWggd3JBPlPDIQ3g

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

Processes:

dwmsys.exedwmsys.exe

pid process

4644 dwmsys.exe
4444 dwmsys.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4644	dwmsys.exe
4444	dwmsys.exe

Modifies registry class 30 IoCs

Processes:

2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\shell\runas\command\ = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\shell\open	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\DefaultIcon\ = "%1"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\shell\open\command	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\shell\runas	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\ = "systemui"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\shell	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\shell\runas\command	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\shell\open\command	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\dwmsys.exe\" /START \"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\shell\runas	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\DefaultIcon	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\shell	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\DefaultIcon	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\dwmsys.exe\" /START \"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\ = "Application"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\Content-Type = "application/x-msdownload"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\shell\open	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\systemui\shell\runas\command	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dwmsys.exe

description pid process

Token: SeIncBasePriorityPrivilege 4644 dwmsys.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4644	dwmsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exedwmsys.exe

description	pid	process	target process
PID 4084 wrote to memory of 4644	4084	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe	dwmsys.exe
PID 4084 wrote to memory of 4644	4084	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe	dwmsys.exe
PID 4084 wrote to memory of 4644	4084	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe	dwmsys.exe
PID 4644 wrote to memory of 4444	4644	dwmsys.exe	dwmsys.exe
PID 4644 wrote to memory of 4444	4644	dwmsys.exe	dwmsys.exe
PID 4644 wrote to memory of 4444	4644	dwmsys.exe	dwmsys.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe"
3⤵
- Executes dropped EXE
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
274KB

MD5
dd5389df95d5f7974bdf8bc523416139

SHA1
1d63b7cba1033d6422ee8ac1e07a1da4dd3c5427

SHA256
4c7648fe6cb11be9d9b44541edd6671fe993bf0bdb39a7c4d0d89a62d34c51f6

SHA512
fc4eb797d1a554d0ac536142d3f2ed320147b20b563d045f626bb55af5a1b4622e4a13dde845d9023c853c5cf297d717ce5781cb12e00feb9c452a0bfc6d00bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads