Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe
-
Size
327KB
-
MD5
28d0751662e13a00f88f021f3d1916df
-
SHA1
ae455b75fa3b7283f4e3c905df7a819e93811450
-
SHA256
bb0938af191ac83a0b0d891a6f72f890ab14ee039e9e581ca3b6bc62f92f161d
-
SHA512
3b9e47f70c5b0f633a389813faf1c1e25205e3c02e8469c8d1706387af0b280f8ad68bd51ca7a863fce6545857aaebb6f9a4ad011d33f34858973432953f55bc
-
SSDEEP
6144:l2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:l2TFafJiHCWBWPMjVWrXK0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2836 csrssys.exe 3004 csrssys.exe -
Loads dropped DLL 4 IoCs
pid Process 1796 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe 1796 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe 1796 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe 2836 csrssys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\ = "Application" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\open\command 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\shell 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\ = "wexplorer" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\runas\command 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\shell\runas\command 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\runas 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\shell\open 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\DefaultIcon\ = "%1" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\DefaultIcon 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\open 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\DefaultIcon\ = "%1" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\shell\runas 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\csrssys.exe\" /START \"%1\" %*" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\DefaultIcon 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\shell\open\command 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\csrssys.exe\" /START \"%1\" %*" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2836 csrssys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1796 wrote to memory of 2836 1796 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe 28 PID 1796 wrote to memory of 2836 1796 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe 28 PID 1796 wrote to memory of 2836 1796 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe 28 PID 1796 wrote to memory of 2836 1796 2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe 28 PID 2836 wrote to memory of 3004 2836 csrssys.exe 29 PID 2836 wrote to memory of 3004 2836 csrssys.exe 29 PID 2836 wrote to memory of 3004 2836 csrssys.exe 29 PID 2836 wrote to memory of 3004 2836 csrssys.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"3⤵
- Executes dropped EXE
PID:3004
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD506887723d01b9fefec841eb49f00dee1
SHA173e86b4f3d3191ba636bd066a97f2162ad34bb97
SHA25661e8e515a854854f6642dbc4b000c7b988772d1b484e09462c9aab6cfd353ff2
SHA51255ca86c9fc2e29a77c270ef007d595aecba864fa39327267d68b34573b7977c3e33140d13a7568adcaf9175f8d51344accc6f265a1a3ab756d7deaee8a8a7836