Analysis Overview
SHA256
a689bcddefaa226f246d6d4c0fa296d2f9a7c85124a7fda1bc15367c028a93bf
Threat Level: Shows suspicious behavior
The file 2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:28
Reported
2024-11-10 01:31
Platform
win7-20240708-en
Max time kernel
123s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\ = "haldriver" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\ = "Application" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\Content-Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\haldriver\shell | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
Files
\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe
| MD5 | 553ca60f6308ae27e95ae4e9b1ab6073 |
| SHA1 | 817c0515f391a77bb432c2587fd9e997481992c5 |
| SHA256 | e37310d25d5248300a88f0a83c365080c1fffa39cee1fcd6b7db295da8039303 |
| SHA512 | d4f12662c39be2800a6dd5d5d11e6b5d03840038a4645661deff64d31063e546692d4ac7938dddfbdb612a2bb1db801f4f9f38be31bb5a21fcc88a7f319bdbd0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:28
Reported
2024-11-10 01:31
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\lsassys.exe\" /START \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\runas | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\open\command | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\Content-Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\Content-Type = "application/x-msdownload" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\ = "Application" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\DefaultIcon\ = "%1" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\runas\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt\shell\open | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\halnt | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\ = "halnt" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\lsassys.exe\" /START \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4abd651810dd4d88824e660abce5ac13_mafia_nionspy.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nwoccs.zapto.org | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\lsassys.exe
| MD5 | 736876af27776ae3239ade5a227aaf32 |
| SHA1 | 2fdc66b903d184835f0be183163df1605ec00c5a |
| SHA256 | b3c3fd7b831a10dacbfa94b30325d89849275f45a2452200bbac5ef7d30a995a |
| SHA512 | 797f1e3ff033bc747579352347b05babb699159a1d6dcb7651364d3659ba9ed31221e0f8c0591532399d37d073bb5a177dc1b97a72307e3ea78a7630164451ab |