040394c37630d6f32f1509ac9b6ce1c1886df3a47a40b9bfa70a541b88fbfe3c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 21:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Size

279KB
MD5

8782527ed9b00ac85bf92fa1ef05bfc9
SHA1

7bef3a98b76cfc90a34ec5e0006e649daaeebcac
SHA256

040394c37630d6f32f1509ac9b6ce1c1886df3a47a40b9bfa70a541b88fbfe3c
SHA512

e0cc3c4d3fb8933f38ad6a8fd14617a5d4d3b9ff899e47a5af794b6a4bdbeeb34480faf862ceb2ce0f36141d0f5feb01275d17d57e55a7c3de6ceccf6ce01946
SSDEEP

6144:1Tz+WrPFZvTXb4RyW42vFlOloh2E+7phg7ozD:1TBPFV0RyWl3h2E+7ph

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

pid	Process
4072	taskhostsys.exe
2896	taskhostsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\shell\runas	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\DefaultIcon	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\DefaultIcon\ = "%1"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\taskhostsys.exe\" /START \"%1\" %*"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\Content-Type = "application/x-msdownload"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\shell\open\command	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\shell\runas\command	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\shell\open\command	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\shell\open	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\shell\open	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\taskhostsys.exe\" /START \"%1\" %*"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\shell\runas	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\ = "jitc"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\shell\runas\command	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\shell\runas\command\ = "\"%1\" %*"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\DefaultIcon	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\ = "Application"	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\jitc\shell	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\.exe\shell	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4072	taskhostsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4072	1184	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe	86
PID 1184 wrote to memory of 4072	1184	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe	86
PID 1184 wrote to memory of 4072	1184	2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe	86
PID 4072 wrote to memory of 2896	4072	taskhostsys.exe	87
PID 4072 wrote to memory of 2896	4072	taskhostsys.exe	87
PID 4072 wrote to memory of 2896	4072	taskhostsys.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-02_8782527ed9b00ac85bf92fa1ef05bfc9_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\taskhostsys.exe

Filesize
279KB

MD5
0859d7ba25a56c363a19b948f346dff6

SHA1
ce225988a4b4742912e16c7f3dc635725826645b

SHA256
dce4adf8fe586c1f79e74dd439db7cb20746db9e817f75a5918b4a6eaae9df3c

SHA512
42482e19037e3af7e99dafc043a56cbcf07fc925e702fa6d9b3f58e62b7f8122dfde49df4d4b0a3b2fc353796fc34c1a65e78a939bb32aa9d75fd356f0621e41

Download Submit