0f760a75b0f4699554e8a68a8b8db7fe8b751f94dc87f77554d400c8a607dda7

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Size

274KB
MD5

758027352d5c265b9772e67d2873e3a9
SHA1

9c774e750f540e9b4e4ca80f163ee5f11f321e32
SHA256

0f760a75b0f4699554e8a68a8b8db7fe8b751f94dc87f77554d400c8a607dda7
SHA512

1c26894d1aff4617e8430cebfdd5d4a3e746f8d1248655215d02e51418b988e76544da66c9b9118d6467a104f8662cf6076b5b871e7d3ecf0c06f6b716dc2b94
SSDEEP

6144:ZYvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:ZYvEbrUjp3SpWggd3JBPlPDIQ3g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1740	csrssys.exe
2648	csrssys.exe

Loads dropped DLL 4 IoCs

pid	Process
1420	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
1420	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
1420	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
1740	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\DefaultIcon	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\DefaultIcon\ = "%1"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\shell\open	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\shell\open\command	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\shell\runas\command	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\shell\runas	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\csrssys.exe\" /START \"%1\" %*"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\ = "wexplorer"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\csrssys.exe\" /START \"%1\" %*"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\ = "Application"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\shell	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	csrssys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1740	1420	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe	28
PID 1420 wrote to memory of 1740	1420	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe	28
PID 1420 wrote to memory of 1740	1420	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe	28
PID 1420 wrote to memory of 1740	1420	2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe	28
PID 1740 wrote to memory of 2648	1740	csrssys.exe	29
PID 1740 wrote to memory of 2648	1740	csrssys.exe	29
PID 1740 wrote to memory of 2648	1740	csrssys.exe	29
PID 1740 wrote to memory of 2648	1740	csrssys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_758027352d5c265b9772e67d2873e3a9_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe"
    3⤵
    - Executes dropped EXE
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\csrssys.exe

Filesize
274KB

MD5
b1df7a6c62b7be614f0d04c393252388

SHA1
da3f96401acc323b4a0a337f2cbec6b79b87f45d

SHA256
faa8b4471a445ccb62f5444ac2bb0ea4c5da77e840ef4e295a2ec853dabaeeea

SHA512
431df9e8448edb7852fa69b351a98ddfc7ba5d073fc3580a00dbb95f9c74d20618cc7d14039ec8fc3de20fbd7bb77542b2282b6fe5c9835d546f3f73344652e8

Download Submit