b12324bbe77969facdd353b891cffd52f6bd9b22a873a9d06806b12f3783633b

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
04/08/2023, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Size

327KB
MD5

645766e5a37717ea78a5b3366b739aa5
SHA1

bcd38983f2fc2ab80782c507b42b64871e6a883a
SHA256

b12324bbe77969facdd353b891cffd52f6bd9b22a873a9d06806b12f3783633b
SHA512

6566b77275152e0830728234efbbdf384af0b4d8c06ca10d1d5113a846a7cfc4afa0c46415a3fff95dd58beea87dc420a381e016a60f1d4f9d01c4583af7eea4
SSDEEP

6144:j2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDhs2+JS2sF/:j2TFafJiHCWBWPMjVWrXfs2TF/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2172	csrssys.exe
2908	csrssys.exe

Loads dropped DLL 3 IoCs

pid	Process
2060	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
2060	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
2060	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\csrssys.exe\" /START \"%1\" %*"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\DefaultIcon	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\DefaultIcon\ = "%1"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\ = "wexplorer"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\shell	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\shell\runas\command	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\DefaultIcon	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\shell\runas	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\shell\open\command	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\csrssys.exe\" /START \"%1\" %*"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\shell	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\shell\open	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\shell\open	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\shell\runas\command	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\ = "Application"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\DefaultIcon\ = "%1"	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\wexplorer\shell\open\command	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.exe\shell\runas	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	csrssys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2172	2060	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe	28
PID 2060 wrote to memory of 2172	2060	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe	28
PID 2060 wrote to memory of 2172	2060	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe	28
PID 2060 wrote to memory of 2172	2060	645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe	28
PID 2172 wrote to memory of 2908	2172	csrssys.exe	29
PID 2172 wrote to memory of 2908	2172	csrssys.exe	29
PID 2172 wrote to memory of 2908	2172	csrssys.exe	29
PID 2172 wrote to memory of 2908	2172	csrssys.exe	29

C:\Users\Admin\AppData\Local\Temp\645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe
"C:\Users\Admin\AppData\Local\Temp\645766e5a37717ea78a5b3366b739aa5_mafia_nionspy_JC.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe"
    3⤵
    - Executes dropped EXE
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe

Filesize
327KB

MD5
987d6d91b44e28549fb0fa73865fdd1d

SHA1
c98c912d59023994d3962f63c2a78a6471a17bc1

SHA256
1bb7aef7db262595aeb5ae008540c973d5e09421304a7896630e1f2d326886a7

SHA512
c7cd36b483788cb58e2d3f2400d3491168f33f4818bfc4e4c669c1bc701c73771e58e08e33fedf75bf03e6c62d2e593885558fd7952c87f8e19836233bd807a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe

Filesize
327KB

MD5
987d6d91b44e28549fb0fa73865fdd1d

SHA1
c98c912d59023994d3962f63c2a78a6471a17bc1

SHA256
1bb7aef7db262595aeb5ae008540c973d5e09421304a7896630e1f2d326886a7

SHA512
c7cd36b483788cb58e2d3f2400d3491168f33f4818bfc4e4c669c1bc701c73771e58e08e33fedf75bf03e6c62d2e593885558fd7952c87f8e19836233bd807a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe

Filesize
327KB

MD5
987d6d91b44e28549fb0fa73865fdd1d

SHA1
c98c912d59023994d3962f63c2a78a6471a17bc1

SHA256
1bb7aef7db262595aeb5ae008540c973d5e09421304a7896630e1f2d326886a7

SHA512
c7cd36b483788cb58e2d3f2400d3491168f33f4818bfc4e4c669c1bc701c73771e58e08e33fedf75bf03e6c62d2e593885558fd7952c87f8e19836233bd807a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe

Filesize
327KB

MD5
987d6d91b44e28549fb0fa73865fdd1d

SHA1
c98c912d59023994d3962f63c2a78a6471a17bc1

SHA256
1bb7aef7db262595aeb5ae008540c973d5e09421304a7896630e1f2d326886a7

SHA512
c7cd36b483788cb58e2d3f2400d3491168f33f4818bfc4e4c669c1bc701c73771e58e08e33fedf75bf03e6c62d2e593885558fd7952c87f8e19836233bd807a5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe

Filesize
327KB

MD5
987d6d91b44e28549fb0fa73865fdd1d

SHA1
c98c912d59023994d3962f63c2a78a6471a17bc1

SHA256
1bb7aef7db262595aeb5ae008540c973d5e09421304a7896630e1f2d326886a7

SHA512
c7cd36b483788cb58e2d3f2400d3491168f33f4818bfc4e4c669c1bc701c73771e58e08e33fedf75bf03e6c62d2e593885558fd7952c87f8e19836233bd807a5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe

Filesize
327KB

MD5
987d6d91b44e28549fb0fa73865fdd1d

SHA1
c98c912d59023994d3962f63c2a78a6471a17bc1

SHA256
1bb7aef7db262595aeb5ae008540c973d5e09421304a7896630e1f2d326886a7

SHA512
c7cd36b483788cb58e2d3f2400d3491168f33f4818bfc4e4c669c1bc701c73771e58e08e33fedf75bf03e6c62d2e593885558fd7952c87f8e19836233bd807a5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe

Filesize
327KB

MD5
987d6d91b44e28549fb0fa73865fdd1d

SHA1
c98c912d59023994d3962f63c2a78a6471a17bc1

SHA256
1bb7aef7db262595aeb5ae008540c973d5e09421304a7896630e1f2d326886a7

SHA512
c7cd36b483788cb58e2d3f2400d3491168f33f4818bfc4e4c669c1bc701c73771e58e08e33fedf75bf03e6c62d2e593885558fd7952c87f8e19836233bd807a5

Download Submit