Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
-
Size
288KB
-
MD5
14841626aafdc901eef87a0caa146766
-
SHA1
451d7c145bfbdf9a0fd5cee42627eb4f7d48d72f
-
SHA256
54f78bfaea6c1f2938875cadd4060e5ca115d5445b1b6f8f3b5a617fae90e045
-
SHA512
959fd81fb5cbac4ffcd9b6edc983cc4aca5fd4a9acd8cf4f6439c642582bda20e98e090128558f719ea4018bfd8c9e56e069b053eb3af73e24fda726291e8659
-
SSDEEP
6144:XuQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:+QMyfmNFHfnWfhLZVHmOog
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
csrssys.execsrssys.exepid process 3028 csrssys.exe 2628 csrssys.exe -
Loads dropped DLL 4 IoCs
Processes:
2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.execsrssys.exepid process 2376 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe 2376 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe 2376 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe 3028 csrssys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 28 IoCs
Processes:
2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\DefaultIcon 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\open\command 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\csrssys.exe\" /START \"%1\" %*" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\ = "Application" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\csrssys.exe\" /START \"%1\" %*" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\runas\command 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\DefaultIcon\ = "%1" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\DefaultIcon\ = "%1" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\runas 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\ = "wexplorer" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\runas\command 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\open 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\runas 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\open 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\DefaultIcon 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\open\command 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
csrssys.exedescription pid process Token: SeIncBasePriorityPrivilege 3028 csrssys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.execsrssys.exedescription pid process target process PID 2376 wrote to memory of 3028 2376 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe csrssys.exe PID 2376 wrote to memory of 3028 2376 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe csrssys.exe PID 2376 wrote to memory of 3028 2376 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe csrssys.exe PID 2376 wrote to memory of 3028 2376 2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe csrssys.exe PID 3028 wrote to memory of 2628 3028 csrssys.exe csrssys.exe PID 3028 wrote to memory of 2628 3028 csrssys.exe csrssys.exe PID 3028 wrote to memory of 2628 3028 csrssys.exe csrssys.exe PID 3028 wrote to memory of 2628 3028 csrssys.exe csrssys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"3⤵
- Executes dropped EXE
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exeFilesize
288KB
MD57e3aff11e158809102a411c2c3ff4a55
SHA1f4daa75e4784a00acb10d9086df844265312f3c5
SHA2569b74a6ca8e46226666f0439b616cc1cf1e993899d0ad45a2262463d68f1c2868
SHA512c753e2d8d124e1f91089d8b7c68eb0fcd17753daeb7f747e95ab68aa9f97d804df02f5fd7df349b44aa81aed46ae7dba5cbd1231896d77de7fa38e57596e2222