Analysis Overview
SHA256
690c99dbd24a6160a035e6b2aa327ffe21bcc99e4e7afd0e5ec28c1b110b21ae
Threat Level: Shows suspicious behavior
The file 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 10:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:11
Platform
win7-20240729-en
Max time kernel
120s
Max time network
63s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\Content-Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\ = "systemui" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\ = "Application" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
Files
\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe
| MD5 | a3f8cbc0c01d908299e7128d61ca044f |
| SHA1 | 3aaea9dd2f1f37ca0e013a87dc05ec08118813e4 |
| SHA256 | 0133f7f5e45800dd4ca6e13eb91d1fb171a555ac370f6326bda711379ff20649 |
| SHA512 | f2cad0f5ba348c815698f23d50428bbf364125295482f60af8547023e2fd4b8c80983812c2adb639f1dcd2d1cc1ec1134ce51af674a93cdb2cdc92188c99b966 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 10:09
Reported
2024-08-25 10:12
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
130s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\Content-Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\ = "Application" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\ = "haldriver" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\Content-Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
| MD5 | 9a60869d3d959f755ccfe51904310cb8 |
| SHA1 | 259086fa356e2724eb70142c0504d7f334923511 |
| SHA256 | 335125eee227589085f287e5a08fcc29a08cca4e915b614aa1afad3a5008e378 |
| SHA512 | 0a814c8ea311337234eaeb8d9cd2b07a4581e74a8d911a3029b4ea79892133ca257ada5cfb49b03be22773f387e466c74e6bbed1198722d70d417bbc4e21612c |