Malware Analysis Report

2024-12-01 01:23

Sample ID 241110-b19nhazkbr
Target 2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy
SHA256 977cb68106c712ed4477e24273341f0d56bca1b3bb45b1563d2d6dde58bf0651
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

977cb68106c712ed4477e24273341f0d56bca1b3bb45b1563d2d6dde58bf0651

Threat Level: Shows suspicious behavior

The file 2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:37

Reported

2024-11-10 01:40

Platform

win7-20240903-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\csrssys.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\shell C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\csrssys.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\ = "wexplorer" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\shell\open C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\wexplorer\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
PID 2940 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
PID 2940 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
PID 2940 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
PID 2968 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
PID 2968 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
PID 2968 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
PID 2968 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nwoccs.zapto.org udp

Files

\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe

MD5 c02d10dba4a9e585fc475ec017a50a1f
SHA1 d8566f9dc677fd6d3d0546aa9afe9e30c58d4f44
SHA256 03a15307861cae13521aadc003d83ac144bbd4a410a8e67360d73ec44bec2dd1
SHA512 058ccdb619b8a4e14221f5a582ecb769bcfb0f79036364a4f3a896bfaf5bc555e6047c78fd2b528c85070d58394bb69210fc603805775db8a8bc6a2ca92e2953

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:37

Reported

2024-11-10 01:40

Platform

win10v2004-20241007-en

Max time kernel

122s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\sidebar2.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\shell C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\shell\open C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\sidebar2.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\ = "prochost" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_ccd39e20397244d69dd3d19952e6ab16_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\SView\sidebar2.exe

MD5 75acf5aeb3a841052fe1b19db0837aee
SHA1 e88946da53e2892280dcfd8b51346af25b9ef498
SHA256 ba2a23f918fc6f35bcad08f5c9292777ef33575258828ce3d66075642c291583
SHA512 9d016dc92824aa3d0f44357bfc776a253348c8463a1804d58947318166449650498fdb5ef95f558afe82aa91876c06312e8bb130e29d7b1a73b0becfb2255f97