Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-02-29...py.exe

windows7-x64

7

2024-02-29...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    123s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/02/2024, 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-29_ead23e80921e44fa779c8fe6a114539a_mafia_nionspy.exe

  • Size

    288KB

  • MD5

    ead23e80921e44fa779c8fe6a114539a

  • SHA1

    253c7c82be38fe05317d8238425af43cb4c7f253

  • SHA256

    ff4672c7dfa986053e0b8ed31c9dd7e62f181ba2c50c40a76751aab5ab759239

  • SHA512

    129046a1ae831228f41d115b6f1ed8382523fa5928b215ed3d4b8b1370fad0a87b56bcb45bec50e82c4db979d03209b9795f3be57ca0d1f34ed2e281016d2f42

  • SSDEEP

    6144:NQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:NQMyfmNFHfnWfhLZVHmOog

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-29_ead23e80921e44fa779c8fe6a114539a_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-29_ead23e80921e44fa779c8fe6a114539a_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
    Filesize

    8KB

    MD5

    10740276c2d72e7e904b471b3ae80fd4

    SHA1

    a561f5573bee32e5939069653b624bd440cbb7d9

    SHA256

    9389d278b4a6c261f10540b5ee32325381b9a0590332f9b7c06fce4e655cc5e3

    SHA512

    1598185dac52ed14974436d7fc0c33b0ef874f28d792a855b4cfa12e1f646f8779007846ff14e30ba8bc24ba29dbddb519d8f00208d8c4dd0c3c54aa796bd240

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
    Filesize

    256KB

    MD5

    382b25b6774be0ba48a9cb7cf7aec5b6

    SHA1

    6d5212f575ef872a671a01457ff51ab1ae3ffe7f

    SHA256

    6458d7a949d51a820583994b977712949afab31453da9715de06f6b4a8775115

    SHA512

    859f84a150367da66d8e786d2dda15091c97aeb50dfd1ab1bfc13f53117f14af83db5d4dbf4f9c5eed3918382c9285bc160760a6188784454805a9b0f67c942c

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
    Filesize

    288KB

    MD5

    3cc8fb723581cf0ea552b2260dfbc289

    SHA1

    8065fb590c14834951878ede669e6812a2b613ff

    SHA256

    cd63d4e3db8898627bbf0968ee8c34b6be3731785eb5998cb946b2d99f718de0

    SHA512

    7f7b31ebead616e8bb8a8aad5d2a45eb52c144ee8a29ca3aa2c233238412c2b1d380931909b007b635f9b510343b01a632cc171516c7636d3e79a80a7c211144

    Download Submit