Analysis
-
max time kernel
132s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe
-
Size
280KB
-
MD5
5cca93d10c29f3ee1bc0bf38e57d5033
-
SHA1
dc4188791508407f0a31818b18ec05e61efe1635
-
SHA256
3ff7f458246b1581a908a35cb44bcb65ab407cd77d86dc8892f5086e8140fb0c
-
SHA512
35c2efd93c80262849f0a72c46fdf6d4ce8bf2dc174236951b2b1ab7c04c7e43009d79e53053905944c1031ae6fbbf17e65dd433e705c462bfdb53fea72bc028
-
SSDEEP
6144:PQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:PQMyfmNFHfnWfhLZVHmOog
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe -
Executes dropped EXE 2 IoCs
pid Process 4440 SearchIndexerDB.exe 2736 SearchIndexerDB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\shell\runas\command\ = "\"%1\" %*" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\DefaultIcon\ = "%1" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\shell\open 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\shell\open 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\Content-Type = "application/x-msdownload" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\shell\runas 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\shell\runas\command 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\DefaultIcon\ = "%1" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\SearchIndexerDB.exe\" /START \"%1\" %*" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\DefaultIcon 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\Content-Type = "application/x-msdownload" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\DefaultIcon 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\shell\open\command 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\shell 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\shell\runas\command 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\shell\runas 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\ = "Application" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\shell\open\command 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\SearchIndexerDB.exe\" /START \"%1\" %*" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\shell 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.exe\ = "cmos" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\cmos\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4440 SearchIndexerDB.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2520 wrote to memory of 4440 2520 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe 92 PID 2520 wrote to memory of 4440 2520 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe 92 PID 2520 wrote to memory of 4440 2520 2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe 92 PID 4440 wrote to memory of 2736 4440 SearchIndexerDB.exe 93 PID 4440 wrote to memory of 2736 4440 SearchIndexerDB.exe 93 PID 4440 wrote to memory of 2736 4440 SearchIndexerDB.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe"3⤵
- Executes dropped EXE
PID:2736
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:81⤵PID:4924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD574efd4ef879969a3451d1b75520b70f4
SHA171eca9d0fe6c723714cc57f11d1b711940f70a5d
SHA25632691aff0d52b6dc4ffc721d08bba138c0e67444995d99d3ab87ba70b89edcb6
SHA512ce0f9ced95aa624f4a9ea60fe7abf13dc00136e35e3b55cc39493c78449295df750ebcab7145092200215d252139d7d1d381bb4e191c273c0dcd602c47ac650e