Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 05:49

General

  • Target

    2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe

  • Size

    344KB

  • MD5

    02cd08e31c43c91b1fd150562debf20f

  • SHA1

    3f0afb4617736bf02ff001f9f9c9ecfe771201b2

  • SHA256

    84ea6a35ea9783e3ef5bdfa211da8176d92ccf13ae3c280cbbdd98e4a6353494

  • SHA512

    d0e7c70dbe2de95ac22e26169ce0af42987032fc019147480c25c8d85a43294a7b68f1090924330558fefd7739032fc10eaad3da559a95c39ec38bcd77e964eb

  • SSDEEP

    6144:kTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:kTBPFV0RyWl3h2E+7pYm0

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-09_02cd08e31c43c91b1fd150562debf20f_mafia_nionspy.exe"
    1⤵
    • Modifies registry class
    PID:1404
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
      2⤵
        PID:1948
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
      1⤵
        PID:2176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe

        Filesize

        9KB

        MD5

        c810e89597bb2b5ceb486ed874472e14

        SHA1

        c3489d193926fa0d6f8038bda24acfd403125ec7

        SHA256

        577798c94c7f7d677c5b2e859418a8fce8dcfc40dab8f2d866021da0f6a13e54

        SHA512

        9ec229622c93017371b4447fa1dc2f04c0f55338d75bd7767171b15dcfcca30a0056e46f855bd4dfa9a60e3fec670e253fddddc5cf82eb3b9f1f3227bac88fd8

      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe

        Filesize

        42KB

        MD5

        c6a7b87a0c4fe3ef5910a72234f2da96

        SHA1

        86aa433bc69c624b079b35ee670893cef9249437

        SHA256

        6645dcef20764d32d1a629b1559a7efb609b4aee5f482f762c007ab1d455ee26

        SHA512

        5d61ecf6311e03699074229cec4a8c2fed4cff6a65a0ff794103ab064d5d927b71a36571b9ffaf325bc3efe392c90dc13264ea806f0596f57011cdf7f457297f

      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe

        Filesize

        20KB

        MD5

        ffb0c9f07f8e86d19678bb429e114615

        SHA1

        a681a47a3d1f0ffe25af5f0d0a5f41c308530218

        SHA256

        493c3cbe95351b91cddba676050dec3ef08515d8c99fb8fa81ad80139bddf9cd

        SHA512

        039704a89984bf2c9a20c13e7a80edc66b654b115bfa25730f3a7ccd6902240930cc61edfdced30daf4bc5d0f3b74302dda08279d62820c3e6b9a3fe81df0ef8

      • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe

        Filesize

        9KB

        MD5

        4a2fc6ef5c9cf97c0f49e65466fe06ce

        SHA1

        0ad8feb64a3ecd1f81aed9a1fe432b8809a74ba2

        SHA256

        9998705053d8ffbe4baf512ae49d33386acbf550e3ac9b995b142574da7bd463

        SHA512

        e309535aa169aac83b359b1cc76456d28e3488dea8e71947fb2ded5cdcac012697de2a2e26df75cb41c538c4fa0db20ace45046df332e059d359b7f57509863e

      • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe

        Filesize

        1KB

        MD5

        53bdbb1b547a17a40269b715035cbe62

        SHA1

        62f9ecddaba2e03d3b02a7b5c8d10e4250d9d71d

        SHA256

        5e6281c3b2593e093c84ddf2e5437ac8dfb58955be7e92d23fd9c83abe6d90b9

        SHA512

        58c5e117ac441ad4d02878e1ac19d65acd45a5256815aa64ddae581df4b39edc516f2811bbdb1f58880e16c438e95bfbd171925cace8e4ad3422e0dc5159a0d0

      • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe

        Filesize

        7KB

        MD5

        f3db0159deb56469a616cab633cccde1

        SHA1

        612af1509e1d5581ca1b003b1343f176e8cbe02a

        SHA256

        7f7517b281a08fe1c4788722966f7e2e6ac1387c7e737422461e2b6280cd334e

        SHA512

        fcec2af21d212355d3ffd902762ab7234effdfd64d72b3d3b7bc6504b901ce7e9c5205507d9ec39c907049b09249f655293b0f4804988ab3f2910c567d5c8a43