Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    123s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2024, 07:46

General

  • Target

    2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe

  • Size

    327KB

  • MD5

    28d0751662e13a00f88f021f3d1916df

  • SHA1

    ae455b75fa3b7283f4e3c905df7a819e93811450

  • SHA256

    bb0938af191ac83a0b0d891a6f72f890ab14ee039e9e581ca3b6bc62f92f161d

  • SHA512

    3b9e47f70c5b0f633a389813faf1c1e25205e3c02e8469c8d1706387af0b280f8ad68bd51ca7a863fce6545857aaebb6f9a4ad011d33f34858973432953f55bc

  • SSDEEP

    6144:l2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:l2TFafJiHCWBWPMjVWrXK0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-26_28d0751662e13a00f88f021f3d1916df_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe

    Filesize

    327KB

    MD5

    06887723d01b9fefec841eb49f00dee1

    SHA1

    73e86b4f3d3191ba636bd066a97f2162ad34bb97

    SHA256

    61e8e515a854854f6642dbc4b000c7b988772d1b484e09462c9aab6cfd353ff2

    SHA512

    55ca86c9fc2e29a77c270ef007d595aecba864fa39327267d68b34573b7977c3e33140d13a7568adcaf9175f8d51344accc6f265a1a3ab756d7deaee8a8a7836