c7cb37f520a26d281b77bfc6a9877b5e145fa1f1a543b120bca7074b3d8e7e34

General

Target

2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Size

280KB
MD5

1b6da1de4478aef3642caa2169fe9a89
SHA1

97bac0043df18ac47181855d375fe79df57fa854
SHA256

c7cb37f520a26d281b77bfc6a9877b5e145fa1f1a543b120bca7074b3d8e7e34
SHA512

4f7a1a084ee591091fc6308836d13b32371dc7265f624d9653c56e14defb2e16f6def2f0acb380b3caa70b57262f4e32c40d27e634135f61ec0d2855569a8d76
SSDEEP

6144:oTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:oTBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

Processes:

taskhostsys.exetaskhostsys.exe

pid process

1676 taskhostsys.exe
4016 taskhostsys.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1676	taskhostsys.exe
4016	taskhostsys.exe

Modifies registry class 30 IoCs

Processes:

2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\shell\open	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\taskhostsys.exe\" /START \"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\ = "Application"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\ = "jitc"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\DefaultIcon	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\taskhostsys.exe\" /START \"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\shell\runas\command	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\shell\runas	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\DefaultIcon\ = "%1"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\shell\runas\command	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\shell\open\command	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\shell	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\shell\open\command	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\DefaultIcon	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\shell	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\shell\open	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\shell\runas	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\Content-Type = "application/x-msdownload"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*"	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskhostsys.exe

description pid process

Token: SeIncBasePriorityPrivilege 1676 taskhostsys.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1676	taskhostsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exetaskhostsys.exe

description	pid	process	target process
PID 3700 wrote to memory of 1676	3700	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe	taskhostsys.exe
PID 3700 wrote to memory of 1676	3700	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe	taskhostsys.exe
PID 3700 wrote to memory of 1676	3700	2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe	taskhostsys.exe
PID 1676 wrote to memory of 4016	1676	taskhostsys.exe	taskhostsys.exe
PID 1676 wrote to memory of 4016	1676	taskhostsys.exe	taskhostsys.exe
PID 1676 wrote to memory of 4016	1676	taskhostsys.exe	taskhostsys.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1b6da1de4478aef3642caa2169fe9a89_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe"
3⤵
- Executes dropped EXE
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe
Filesize
280KB

MD5
79bd71a6444ff8999635b7560713a9dd

SHA1
eb14763f065eb942c45c795a71b538d16480c806

SHA256
fd88ee864966cf320a35a6057302aede2390ca842ff09028511443c4fe5490f4

SHA512
a50e32dab702dd6489fb9c4ade773dc0db48dd85552f4780f6b68c175a1db9500e131db9be1ac10217d1940252ca2871f612899dd5e049a7c6aebdf900659b4f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads