739a2b93141723c8880cd1e805abffc7f0b9541d71c7a7d4ac25f1d8b4b47f3b

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Size

344KB
MD5

0b8787962fafbaa239da627098f4e0af
SHA1

d1ce6cf715b7daf66ec022edad59e69d77592a18
SHA256

739a2b93141723c8880cd1e805abffc7f0b9541d71c7a7d4ac25f1d8b4b47f3b
SHA512

5823e7b14528bf0a131bba518f648dde7ba80cde247087fbc77f55ff474e3a5bfd8a71c9d87746afeef876b1d98f83a6556aeeeafb684db083ca5214d4c32058
SSDEEP

6144:mTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:mTBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2716	csrssys.exe
2684	csrssys.exe

Loads dropped DLL 4 IoCs

pid	Process
2136	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
2136	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
2136	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
2716	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\shell\open\command	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\shell\runas\command	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas\command	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\ = "Application"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\DefaultIcon	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\shell\open	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\DefaultIcon	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\csrssys.exe\" /START \"%1\" %*"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\ = "wexplorer"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\shell\runas	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\shell	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\csrssys.exe\" /START \"%1\" %*"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open\command	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\wexplorer\DefaultIcon\ = "%1"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2716	csrssys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2716	2136	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe	28
PID 2136 wrote to memory of 2716	2136	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe	28
PID 2136 wrote to memory of 2716	2136	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe	28
PID 2136 wrote to memory of 2716	2136	2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe	28
PID 2716 wrote to memory of 2684	2716	csrssys.exe	29
PID 2716 wrote to memory of 2684	2716	csrssys.exe	29
PID 2716 wrote to memory of 2684	2716	csrssys.exe	29
PID 2716 wrote to memory of 2684	2716	csrssys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_0b8787962fafbaa239da627098f4e0af_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe"
    3⤵
    - Executes dropped EXE
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe

Filesize
344KB

MD5
18a750f8fbcabc8c5dc63383e46ff279

SHA1
526f9c5514635f96d278f65903a1be389a0637e2

SHA256
05e4f1dfcbffc16de10af1d409aa0ecb6b2015ebf7f2e86996231a5dac11aee6

SHA512
d1d02276433bcd3e0ade0f6a6216e9f2e105c5b6219614b4fe727d27018da31201f97f900f6d7693fa1dc1a229c7ee1be60527a185c93cab9c66533454540fce

Download Submit