fe065726a5e71f1aa1c189c7d0294b2f3be7597c3e0a557dfac0a12f2185756c

Analysis

max time kernel
121s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-02-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Size

327KB
MD5

c2af3fb380f4572646f3d4012e98c8c8
SHA1

dc105eaef28fb9ff44888e8cc5cf88c4114ed681
SHA256

fe065726a5e71f1aa1c189c7d0294b2f3be7597c3e0a557dfac0a12f2185756c
SHA512

e42f4f13cb381cf514d733fcc75b29c17f395d6f6db30ff9fd477b45accbf080730e8ce068f5be6388c0fb2b4da7bdd538ef554f35ee41289eec33329df28897
SSDEEP

6144:N2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG8KgbPzDh:N2TFafJiHCWBWPMjVWrXK0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2612	csrssys.exe
2704	csrssys.exe

Loads dropped DLL 4 IoCs

pid	Process
2860	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
2860	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
2860	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
2612	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\ = "Application"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\shell	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\open\command	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\runas	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\DefaultIcon\ = "%1"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\ = "wexplorer"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\DefaultIcon	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\csrssys.exe\" /START \"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\shell\runas\command	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\shell\runas	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\open	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\runas\command	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\DefaultIcon	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\shell\open\command	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\wexplorer\shell\open	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\csrssys.exe\" /START \"%1\" %*"	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2612	csrssys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2612	2860	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe	28
PID 2860 wrote to memory of 2612	2860	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe	28
PID 2860 wrote to memory of 2612	2860	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe	28
PID 2860 wrote to memory of 2612	2860	2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe	28
PID 2612 wrote to memory of 2704	2612	csrssys.exe	29
PID 2612 wrote to memory of 2704	2612	csrssys.exe	29
PID 2612 wrote to memory of 2704	2612	csrssys.exe	29
PID 2612 wrote to memory of 2704	2612	csrssys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_c2af3fb380f4572646f3d4012e98c8c8_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe"
    3⤵
    - Executes dropped EXE
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe

Filesize
327KB

MD5
b9e88641e209d7e7c3fbc5eeae8b4e6e

SHA1
a3bea9e4885ad65a55c35f1c52b8ef14d801b2a7

SHA256
8dfa4d60a062ed970b1f9549bae4066123c157f548aa2ec824a4372631f04ada

SHA512
486bee52578ceab5e3da39624ce09c607d419f109339cd9e07f4d306a4646908abc7ddd3a5281bedc384fba0bd0bf8dcc1ae874c82e5634fc861a2134a169614

Download Submit