Analysis

  • max time kernel
    132s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 00:36

General

  • Target

    2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    5cca93d10c29f3ee1bc0bf38e57d5033

  • SHA1

    dc4188791508407f0a31818b18ec05e61efe1635

  • SHA256

    3ff7f458246b1581a908a35cb44bcb65ab407cd77d86dc8892f5086e8140fb0c

  • SHA512

    35c2efd93c80262849f0a72c46fdf6d4ce8bf2dc174236951b2b1ab7c04c7e43009d79e53053905944c1031ae6fbbf17e65dd433e705c462bfdb53fea72bc028

  • SSDEEP

    6144:PQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:PQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5cca93d10c29f3ee1bc0bf38e57d5033_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe"
        3⤵
        • Executes dropped EXE
        PID:2736
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:8
    1⤵
      PID:4924

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\SearchIndexerDB.exe

            Filesize

            280KB

            MD5

            74efd4ef879969a3451d1b75520b70f4

            SHA1

            71eca9d0fe6c723714cc57f11d1b711940f70a5d

            SHA256

            32691aff0d52b6dc4ffc721d08bba138c0e67444995d99d3ab87ba70b89edcb6

            SHA512

            ce0f9ced95aa624f4a9ea60fe7abf13dc00136e35e3b55cc39493c78449295df750ebcab7145092200215d252139d7d1d381bb4e191c273c0dcd602c47ac650e