Analysis

  • max time kernel
    144s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 10:09

General

  • Target

    2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    790c93e93ca7b7c3cdc9da3e70dc52cc

  • SHA1

    ed5ed0c947e3e0a83432f928acfe0283682912d4

  • SHA256

    690c99dbd24a6160a035e6b2aa327ffe21bcc99e4e7afd0e5ec28c1b110b21ae

  • SHA512

    28b63296de9403ad8ede4fe80709c51b89c6db5fd14dcaad78a3db36b56c561326af796ba9cc45e7124b9a75239fa612f372ad27dcb154653bc14df4777ea7c5

  • SSDEEP

    6144:0Tz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:0TBPFV0RyWl3h2E+7pl

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
        3⤵
        • Executes dropped EXE
        PID:2568

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

          Filesize

          280KB

          MD5

          9a60869d3d959f755ccfe51904310cb8

          SHA1

          259086fa356e2724eb70142c0504d7f334923511

          SHA256

          335125eee227589085f287e5a08fcc29a08cca4e915b614aa1afad3a5008e378

          SHA512

          0a814c8ea311337234eaeb8d9cd2b07a4581e74a8d911a3029b4ea79892133ca257ada5cfb49b03be22773f387e466c74e6bbed1198722d70d417bbc4e21612c