Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12/02/2024, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe
-
Size
344KB
-
MD5
961c69a6fc780beec70d9bae1aab4498
-
SHA1
5ea26c67284c8c557127e6dfd4bedcb59f069810
-
SHA256
a026c256a37e87eb6b5687ec32c51ee209701b30562ecf3d28a724aaf9f15aa0
-
SHA512
4e195f5106c791453e3ece8f79774f836a2696c83681db2e23cd2cee8e7242056a33742fe18c522c9c09a1dbdb64e559b57b67810d5abd7414e400aeb536d286
-
SSDEEP
6144:7Tz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:7TBPFV0RyWl3h2E+7pYm0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2716 wlogon32.exe 2784 wlogon32.exe -
Loads dropped DLL 4 IoCs
pid Process 2288 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe 2288 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe 2288 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe 2716 wlogon32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 28 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\ = "haldriver" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas\command 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\shell\open\command 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\shell\open 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open\command 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\DefaultIcon\ = "%1" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\shell 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\DefaultIcon\ = "%1" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\shell\runas 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\shell\runas\command\ = "\"%1\" %*" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\ = "Application" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\DefaultIcon 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\shell\runas\command 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\Content-Type = "application/x-msdownload" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\DefaultIcon 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.exe\shell 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2716 wlogon32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2716 2288 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe 28 PID 2288 wrote to memory of 2716 2288 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe 28 PID 2288 wrote to memory of 2716 2288 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe 28 PID 2288 wrote to memory of 2716 2288 2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe 28 PID 2716 wrote to memory of 2784 2716 wlogon32.exe 29 PID 2716 wrote to memory of 2784 2716 wlogon32.exe 29 PID 2716 wrote to memory of 2784 2716 wlogon32.exe 29 PID 2716 wrote to memory of 2784 2716 wlogon32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-12_961c69a6fc780beec70d9bae1aab4498_mafia_nionspy.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"3⤵
- Executes dropped EXE
PID:2784
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD5a9b6051ed745a08c69936d5cb2bc9cd0
SHA1b651c52e369d4379c692362d4ea222ab29fa5b75
SHA2561511bc07b8c5c04abfcf35131f637deb9c8aeb6f186e25da39c1eb1a8d00820f
SHA5122c7963da29b7801eb58be1b85588b234f381a00873e5d8d8741b2b6bc38d8544eeb905f0c337edccbbe0f043e16c7241a9a10154e15aac79b54946c517076ca1
-
Filesize
138KB
MD5d7e59ac0b728ee78852c9e8cd42b5659
SHA19bdbf4d445be4d1e508527fb582b265a445dce05
SHA2564768fbb7fb9466aede5c8a0ed96489adc991a6c59905e269246cc13ce83d8e5f
SHA512133a64ca37197e325393016c5a8e549251079700174e98a01e8e387616d822001731b6ad814869a29fa4f3b1bcef900e613cf02dc65c7f88909ef2b463cd3f37
-
Filesize
127KB
MD5e520f05dcc99001d24de3c48c76ace5a
SHA177c2906e85d47ea4f8a5ed8b1d170a2ab5481ff0
SHA256ee749d2a4bb24e97be9022486262d6075b81f8c7bfe334eba2de053cbe07657c
SHA512f32bee8d57304b2a089b623d4be742b288cfbd6f9acd82766e999a82f79f0ccd6a8ab024b3c01ed25f4544f52f5b0547bc26b8bfe2523621b83cc29a8ae729d4
-
Filesize
344KB
MD50248c000af9c222e70b6c79ad1667537
SHA12a57a07f627d8dcd7624049b74db477cff00f3f6
SHA256218d9f08ba578ea92c93865a6113d702dc063089c66b67d9c948a06d513c0776
SHA512be057588cac6a459ec5b942b9a4bcb51bbb89ddbf5ec415a0b7dec529a2fda35ef7deadec65b80f31e1668dbf4035388c1c5cc71b1f83a61b0d8789ed5b89bac
-
Filesize
293KB
MD526300832574a474889241c97f0d333a4
SHA1de421d78f64f8062df7307bc36e8d39b100b63cb
SHA256b7a0575d39fce3074e5c1266899a55ad9bc99159437793e519ac1895cf519f3b
SHA512eae45a4673b31961bc8b71fabb965ecfb92929d3078b8b1da32178fe8fdc7f18bcbe6271828e965e14b2dbcaa3c08b93394adf3979c3e2946c26b0e5ef1beb4e
-
Filesize
101KB
MD597b9a5fc3a0491e458fc243fce466e93
SHA175ac25fefd929cc3bc82eaac1575dd9cbeb6ae88
SHA2562f52c03959581ed6b6d4f11375395a917bf1bf597d0651500891a60d52f51d3f
SHA512514826b29524b2fe77091e384d567967c801ad572440fe4289fcd6d1344e19c8888096bbf60f0aeaa59fb01c2879d2f1579eb824a08602fa6e16727238e040a3