Analysis
-
max time kernel
133s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe
-
Size
280KB
-
MD5
ceb8d72171999b8d9901f10e0d90103d
-
SHA1
cc46b41b3005a8dafa3cdcf871c27d9da582080c
-
SHA256
3b4cf516bd4119cbbdcf878b99d6094963fe0cac3dd51a0cc9d61a0ac2c3a6b6
-
SHA512
fbedff636a02fc4354fbafc0b1fef21fdfb2e6e5325b1536e2499c14bb0a64e506d009d2ca57e8919b1e793a2b5eaf51157c6130137b3471931f01ed92eea8b5
-
SSDEEP
6144:RQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:RQMyfmNFHfnWfhLZVHmOog
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe -
Executes dropped EXE 2 IoCs
Processes:
dwmsys.exedwmsys.exepid process 3004 dwmsys.exe 1784 dwmsys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
Processes:
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\shell\open\command 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\shell\open 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\dwmsys.exe\" /START \"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas\command 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\ = "Application" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\Content-Type = "application/x-msdownload" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\DefaultIcon 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\Content-Type = "application/x-msdownload" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open\command 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\shell 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\shell\runas 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\shell\runas\command\ = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\DefaultIcon 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\DefaultIcon\ = "%1" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\shell\runas\command 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\ = "systemui" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\DefaultIcon\ = "%1" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\dwmsys.exe\" /START \"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dwmsys.exedescription pid process Token: SeIncBasePriorityPrivilege 3004 dwmsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exedwmsys.exedescription pid process target process PID 4928 wrote to memory of 3004 4928 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe dwmsys.exe PID 4928 wrote to memory of 3004 4928 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe dwmsys.exe PID 4928 wrote to memory of 3004 4928 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe dwmsys.exe PID 3004 wrote to memory of 1784 3004 dwmsys.exe dwmsys.exe PID 3004 wrote to memory of 1784 3004 dwmsys.exe dwmsys.exe PID 3004 wrote to memory of 1784 3004 dwmsys.exe dwmsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\dwmsys.exeFilesize
280KB
MD554af5b1fa551822311d463ef79ac4e14
SHA1cf4abbec06184444c343274630ea036f1eba516d
SHA256ea2086810dbeefedea1e32e3b56de516f3e3780623651444d977fd0ea458cb35
SHA512eaa58c1aad83b19f2406053d43dcf262283922f4421bb5690c3c3b77ff012a57a562947c3b9646f2045998574bdc2217fa9a12b2ea91ec464c9f04bb629850f2