Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 10:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe
-
Size
279KB
-
MD5
dcea9ddaa24bc1c50eda1bca9b6ab849
-
SHA1
93fb9b86a4c20ffc6a3022945a14852b46cb2adf
-
SHA256
02874dafe44a7f2ad7e4f9c7b2806d585909dfb2fac8454007da8317ce8443aa
-
SHA512
16c283c829589731b860bc57913e85e17027a2aecf7eba3492465ea0a929d633011fccc12061880508a48d2eae039426c694cd62dab3a5338914301e1dd5bdf1
-
SSDEEP
6144:dTz+WrPFZvTXb4RyW42vFlOloh2E+7phg7ozD:dTBPFV0RyWl3h2E+7ph
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe -
Executes dropped EXE 2 IoCs
pid Process 4040 wlogon32.exe 1432 wlogon32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\Content-Type = "application/x-msdownload" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\wlogon32.exe\" /START \"%1\" %*" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\DefaultIcon 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\ = "haldriver" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\runas 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\open\command 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\wlogon32.exe\" /START \"%1\" %*" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\open 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\runas\command 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\Content-Type = "application/x-msdownload" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\DefaultIcon\ = "%1" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open\command 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\DefaultIcon\ = "%1" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\DefaultIcon 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\ = "Application" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas\command 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4040 wlogon32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4472 wrote to memory of 4040 4472 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe 85 PID 4472 wrote to memory of 4040 4472 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe 85 PID 4472 wrote to memory of 4040 4472 2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe 85 PID 4040 wrote to memory of 1432 4040 wlogon32.exe 86 PID 4040 wrote to memory of 1432 4040 wlogon32.exe 86 PID 4040 wrote to memory of 1432 4040 wlogon32.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-03_dcea9ddaa24bc1c50eda1bca9b6ab849_mafia_nionspy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\wlogon32.exe"3⤵
- Executes dropped EXE
PID:1432
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
279KB
MD5ef8e3b18485647620e27324494dff9b5
SHA14bba9bfc1787bc084ccf839a20c7e4784023ffc7
SHA2568d9a3c34a10796d58f0f629d9a6b54d656f861af7347f728e2090d8877bade36
SHA512726522af3bd64ba5e887a39343b326e8981fd513db944fb96e01b674753ee4575078bb907e4eec99cd4336336d17720a1f5c868ba721c8b6108558cceb22fedb