f86558c55d9dd37316c76321dc2ea56ce485857c50e67a18732f0d3fadf475a6

Analysis

max time kernel
20s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Size

328KB
MD5

2d3044035d427b87663cddeb5f83281f
SHA1

8abd9e629a6c7c6a7eb7e5c946d010abe2834446
SHA256

f86558c55d9dd37316c76321dc2ea56ce485857c50e67a18732f0d3fadf475a6
SHA512

509e094ccc5626f6389dd12ac869894fe351653323024035855642ee2aca155c25472b3ce272ca872eab2130eebd0b3c07d13114461c5cde1eaecbe680725c1a
SSDEEP

6144:p2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDh1v:p2TFafJiHCWBWPMjVWrXf1v

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\DefaultIcon	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\ = "Application"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\Content-Type = "application/x-msdownload"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\csrssys.exe\" /START \"%1\" %*"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open\command	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas\command	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\DefaultIcon	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\csrssys.exe\" /START \"%1\" %*"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\DefaultIcon\ = "%1"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\wexplorer\shell	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\ = "wexplorer"	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.exe\shell\runas\command	2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_2d3044035d427b87663cddeb5f83281f_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
PID:2648
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe"
  2⤵
  PID:1336
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe"
    3⤵
    PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3276 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
328KB

MD5
c4899050ec87c6f3586a1c25e9b2d9e4

SHA1
c18180e2c3068077215816bb59e1d5213628a42f

SHA256
d704d4fd1429b1c031e710a32ab2486dce12df72bdcc4258977289e71b951555

SHA512
67c3491c9933c28fd4c58015e64668148dfa1cf5d6d84bc5976b5ccd62983941acb58798f30df37d1c4541469f2baaea98916fabb1b9aef0367dfc1688005149

Download Submit