Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    126s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230824-en
  • resource tags

    arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2023, 11:17

General

  • Target

    8e261b67fcd36b84bbf35112caa67f24_mafia_nionspy_JC.exe

  • Size

    344KB

  • MD5

    8e261b67fcd36b84bbf35112caa67f24

  • SHA1

    223bf3d5dea2774c944194d8f85579ded09c57b0

  • SHA256

    a8206adbaab94415db7a14283cd510b3dc67679781d4d838eba8b3d6fe7514ff

  • SHA512

    85b881d242598f7c57e5acb0839771fc9fac29e75ce536a001a130f4dd403b7eed375b6b822a456cfbe09c8425f6d89fa09486423411b89820ba5f3d5da9490c

  • SSDEEP

    6144:tTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:tTBPFV0RyWl3h2E+7pYm0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e261b67fcd36b84bbf35112caa67f24_mafia_nionspy_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\8e261b67fcd36b84bbf35112caa67f24_mafia_nionspy_JC.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

    Filesize

    344KB

    MD5

    7c96ff234219e359660d2ba8da89bb00

    SHA1

    24a56a9220b1d83a9654369145a8d99c14cffd11

    SHA256

    768fae7000523bb355dd16dd4416921b255e58dea1858df3e3b3a59dcaccb502

    SHA512

    854d327d5e9c3f26257acb5159936852b70566dc3f4286df9980094b0a391954fea7e8ae3cff4aef65b3cc4ebca00d5448b9a1eb0320e8e3c8a302ef338852f0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

    Filesize

    344KB

    MD5

    7c96ff234219e359660d2ba8da89bb00

    SHA1

    24a56a9220b1d83a9654369145a8d99c14cffd11

    SHA256

    768fae7000523bb355dd16dd4416921b255e58dea1858df3e3b3a59dcaccb502

    SHA512

    854d327d5e9c3f26257acb5159936852b70566dc3f4286df9980094b0a391954fea7e8ae3cff4aef65b3cc4ebca00d5448b9a1eb0320e8e3c8a302ef338852f0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

    Filesize

    344KB

    MD5

    7c96ff234219e359660d2ba8da89bb00

    SHA1

    24a56a9220b1d83a9654369145a8d99c14cffd11

    SHA256

    768fae7000523bb355dd16dd4416921b255e58dea1858df3e3b3a59dcaccb502

    SHA512

    854d327d5e9c3f26257acb5159936852b70566dc3f4286df9980094b0a391954fea7e8ae3cff4aef65b3cc4ebca00d5448b9a1eb0320e8e3c8a302ef338852f0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

    Filesize

    344KB

    MD5

    7c96ff234219e359660d2ba8da89bb00

    SHA1

    24a56a9220b1d83a9654369145a8d99c14cffd11

    SHA256

    768fae7000523bb355dd16dd4416921b255e58dea1858df3e3b3a59dcaccb502

    SHA512

    854d327d5e9c3f26257acb5159936852b70566dc3f4286df9980094b0a391954fea7e8ae3cff4aef65b3cc4ebca00d5448b9a1eb0320e8e3c8a302ef338852f0

  • \Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

    Filesize

    344KB

    MD5

    7c96ff234219e359660d2ba8da89bb00

    SHA1

    24a56a9220b1d83a9654369145a8d99c14cffd11

    SHA256

    768fae7000523bb355dd16dd4416921b255e58dea1858df3e3b3a59dcaccb502

    SHA512

    854d327d5e9c3f26257acb5159936852b70566dc3f4286df9980094b0a391954fea7e8ae3cff4aef65b3cc4ebca00d5448b9a1eb0320e8e3c8a302ef338852f0

  • \Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

    Filesize

    344KB

    MD5

    7c96ff234219e359660d2ba8da89bb00

    SHA1

    24a56a9220b1d83a9654369145a8d99c14cffd11

    SHA256

    768fae7000523bb355dd16dd4416921b255e58dea1858df3e3b3a59dcaccb502

    SHA512

    854d327d5e9c3f26257acb5159936852b70566dc3f4286df9980094b0a391954fea7e8ae3cff4aef65b3cc4ebca00d5448b9a1eb0320e8e3c8a302ef338852f0

  • \Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

    Filesize

    344KB

    MD5

    7c96ff234219e359660d2ba8da89bb00

    SHA1

    24a56a9220b1d83a9654369145a8d99c14cffd11

    SHA256

    768fae7000523bb355dd16dd4416921b255e58dea1858df3e3b3a59dcaccb502

    SHA512

    854d327d5e9c3f26257acb5159936852b70566dc3f4286df9980094b0a391954fea7e8ae3cff4aef65b3cc4ebca00d5448b9a1eb0320e8e3c8a302ef338852f0

  • \Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

    Filesize

    344KB

    MD5

    7c96ff234219e359660d2ba8da89bb00

    SHA1

    24a56a9220b1d83a9654369145a8d99c14cffd11

    SHA256

    768fae7000523bb355dd16dd4416921b255e58dea1858df3e3b3a59dcaccb502

    SHA512

    854d327d5e9c3f26257acb5159936852b70566dc3f4286df9980094b0a391954fea7e8ae3cff4aef65b3cc4ebca00d5448b9a1eb0320e8e3c8a302ef338852f0