12dc1de98af572bfe237d4ad59d8fbdaec32cfa7fe00335f4731e8f3f1582d6c

Analysis

max time kernel
121s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Size

344KB
MD5

13ed5138ed0fef95953a379a85ef4e12
SHA1

4ba17e76166dbe0fe09cf1695eff84a9b074e9f0
SHA256

12dc1de98af572bfe237d4ad59d8fbdaec32cfa7fe00335f4731e8f3f1582d6c
SHA512

31498e8d0b5a890f112d94a0407e2bacc753ee5ba2aaf258cbf46ea51e8de68038bed42c8d1d773673fd13e1d57fc74b55da7a67734d07c9bda906ba480e7825
SSDEEP

6144:XTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:XTBPFV0RyWl3h2E+7pYm0

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
464	csrssys.exe
3124	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrssys.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\ = "wexplorer"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\ = "Application"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\Content-Type = "application/x-msdownload"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\shell\open	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\shell\open\command	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\shell	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\shell\runas\command	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\DefaultIcon	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\shell\runas\command	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\shell	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\csrssys.exe\" /START \"%1\" %*"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\csrssys.exe\" /START \"%1\" %*"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\DefaultIcon	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\shell\runas	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\shell\open\command	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\shell\open	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\wexplorer\DefaultIcon\ = "%1"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\shell\runas	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	464	csrssys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 464	4108	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe	86
PID 4108 wrote to memory of 464	4108	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe	86
PID 4108 wrote to memory of 464	4108	2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe	86
PID 464 wrote to memory of 3124	464	csrssys.exe	87
PID 464 wrote to memory of 3124	464	csrssys.exe	87
PID 464 wrote to memory of 3124	464	csrssys.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_13ed5138ed0fef95953a379a85ef4e12_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe"
    3⤵
    - Executes dropped EXE
    PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe

Filesize
344KB

MD5
ecc7551149084182d461faae948fe33e

SHA1
ba42ae1a9d3cd8d7bf5bae6731acd43b208e3c05

SHA256
cae87bf6c285d6e63f2ff88caed8256604f1f2efdd1d2d4f713aaafeee3b9132

SHA512
0f6858447fbbd536d3d3c0abc6435e9c95808d36992dd607cdb6e8152b1a8b6d96c56119d2a9c9816cdc8f73bf7ec17136e64bd5fc080b898a822bc9835370a5

Download Submit