a97ba913edc6ad009705e3266c7d7917c7b0df7a1270278e96b0b42447dd33d3

Analysis

max time kernel
123s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Size

280KB
MD5

81fa4b9c186f62b62a97517abc048a57
SHA1

43e2c730cba0b0fbc623bb88cf6830593995b0e2
SHA256

a97ba913edc6ad009705e3266c7d7917c7b0df7a1270278e96b0b42447dd33d3
SHA512

81aa2a5f12ace898f81ac2c15987af5afc0b181360c489308f08f6e59cb42db21a0ae888e1f92586baab6e0bbcb9bb4ef5d389361760d88a7e807cb8c55d54e2
SSDEEP

6144:KQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:KQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1152	csrssys.exe
624	csrssys.exe

Loads dropped DLL 4 IoCs

pid	Process
1384	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
1384	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
1384	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
1152	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\open	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\ = "wexplorer"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\open\command	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\ = "Application"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\csrssys.exe\" /START \"%1\" %*"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\runas	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\open	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\runas\command	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\runas	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\DefaultIcon	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\DefaultIcon	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\open\command	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\DefaultIcon\ = "%1"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\wexplorer\shell\runas\command	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_32\\csrssys.exe\" /START \"%1\" %*"	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1152	csrssys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1152	1384	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe	29
PID 1384 wrote to memory of 1152	1384	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe	29
PID 1384 wrote to memory of 1152	1384	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe	29
PID 1384 wrote to memory of 1152	1384	2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe	29
PID 1152 wrote to memory of 624	1152	csrssys.exe	28
PID 1152 wrote to memory of 624	1152	csrssys.exe	28
PID 1152 wrote to memory of 624	1152	csrssys.exe	28
PID 1152 wrote to memory of 624	1152	csrssys.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_81fa4b9c186f62b62a97517abc048a57_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe"
1⤵
- Executes dropped EXE
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
243KB

MD5
3c1ffad528c9623a62b4448cc557a85f

SHA1
d391f97c48946867bc30da865d7a62543541f6d3

SHA256
61e76b2f6ecfe0fe9dbf6e4a4eb8d91d83f725a4f9917f13a80b07c20a32db96

SHA512
ec9c46afd9fda9a1080aa3aae7686df009b5d6838eaa4b1229a24972722bfd901422b5e300c7cb6852c7a8c3ed926be0307f7f2543d43d0e6049aed7671ccd02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
167KB

MD5
7e91b9f14470dcd35c87edab710610e6

SHA1
48ed14c1fbc09b8b6579492af5bd44ce49601c0d

SHA256
c67ab1cb4efce4966bb8154193e7281596f9f38250c6c528e66d63d0d950d822

SHA512
1af45706e1940cd3b46a96e217101ea5713507992b38fa3a91392efa4e354f07d1bb1a4b071036d322eff0d1ca96bbb8437af51ebdbadf3c1fc265a3da148712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
271KB

MD5
2d5cf41167376ae19b708db3d136fb30

SHA1
6c474759263d87d7ce962748d418ba8fe0979ed7

SHA256
125607b80c593293e399651e2d645086ff764105ba354b7d1c793e93c083b240

SHA512
0085365c8de52a0f668d42a2ab10528ddda265fc8e6e8f61fe75c7768df4976fc513ef78a2aedc5a022c4796afc309846fa5dd7b4e7417dcfb292d7b92dbaa60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
208KB

MD5
5c2f6697ce258e07d993cf51dab90171

SHA1
af5ab394ac0f8217dce3227be138529330f45b02

SHA256
00f1d824a846fe0918ae468e7443d2bbcf8dcb702626fd3418ea212f538af3e3

SHA512
5c72f6c9826391db8315385969857bb8072fe93ba6a531725d79f5abef88bdfb85121c1e18d9a331fce8add161081c48317706f8afbab486b333924df0ad6915

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
280KB

MD5
4a95d1b8a57bc31880dc290025d761e5

SHA1
b7b927945fb81963df60cbd55ffc222c8a897d6d

SHA256
015522a2e8f892735f3aacdb0d295aecdf5449b0b22eca7bb288b59c921b4a97

SHA512
c64e8277544d962c6492f9b2b272423972ccd05b085bbc793c01f8e1c1031a38d8c4cb55b857eda0049a7bc449582a6ddb622c78d2fd28bf0309877926e9bec7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
204KB

MD5
687fd913047d45088b26591c85910720

SHA1
32cfe26a19f622b03128320f9299c22b97f19eca

SHA256
a90054958a99611e96ea44c8eaf4cd37514b54cca9aec21b5760362bbf688728

SHA512
283a42d0e992894ac8efa13aeed86d19bf457b1796fe068ff0cd5cad20c842ed2abfa2f3154c726fc10a2b62a453fee58ab3890bdbe30e9b9f4482dd811ad24b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
274KB

MD5
5efe313216b52eba00ef62957ee992d7

SHA1
bc1dc8d7bc385f13b2c4e15527134a6a1ea7aef4

SHA256
69c8b12c0c8d8e997cf53347098ce059c7a29c205aee503b3686cc21c5ef4315

SHA512
c98d1317fc036e7519d25747f9e1e541797713f849767d9835cc5dd6bac5db7edb246bf2fb2b1617fbef29401fe33290160f17858a36ae572cb0eeea5accde0e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_32\csrssys.exe

Filesize
120KB

MD5
24d4ec32dda7f55b4f4ac031d405715e

SHA1
3f19ff3171236ca7b5a1f0e006b8abc3e9243bf5

SHA256
d6ca5e2d84113f5cd243c85e9e22f19fd4dc2c75cdae5e8a9093ee73897fba85

SHA512
9f57ec360aa97defb6a8008d802a6ab122d404167f760977f59b845c00373ec308155d401c796542afaabba57d3bf5a5ae6e2915957b957c247fceb1babf9e95

Download Submit