Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2024, 01:43

General

  • Target

    2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe

  • Size

    344KB

  • MD5

    8f303194505a2d82efc89674946843dd

  • SHA1

    02441b79c2d46b6691ca68c1e8d63b5419c74cfd

  • SHA256

    e238beefddce71ef690d2c518121dad1cb301de4037cbcc102a24a4948c7ca9a

  • SHA512

    ed963cc080382a2f811b8636452a839fa3dcb953f73c0ae18ba9302e7f5972402c2f456fc61b80593c7e920c7fd43b4c7d6499f9381d87dd630ad4e2100d9142

  • SSDEEP

    6144:VoTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:qTBPFV0RyWl3h2E+7pYm0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-08_8f303194505a2d82efc89674946843dd_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:4108
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3128

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

      Filesize

      344KB

      MD5

      729ccd5f465e3e8c53895f88bfcf0cdb

      SHA1

      52ffc6623bed44df0f788e8457f44af80b4da611

      SHA256

      de8e32d0a754e4e00571263ecbd6da92604e7706aa7c26d198397d0d9d91da7c

      SHA512

      fabb6493725e5e51a1df097d7559ead54c50f36cb1ab9877e1e411897408b0d1281e9b15c3454af784eabea39fcd11e40bc39f15528d0abe6fbe1f196ebe2c9c

    • C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe

      Filesize

      175KB

      MD5

      599b596a4f2bb7594d5765e6d6956225

      SHA1

      fa745586c2793322d565595373eb2ffad771e557

      SHA256

      df2bc7e4ceb6afc0652f5705403ed54b8c3b67c86a2b1099759ab139549bbbae

      SHA512

      5bdc22994e358c18d474890e1faa15c8a1e9d59336887a1e58520e34f0a3f589ed3400bee06da46c59de6d6db836ec185edd920d8de961f688f6f3ba55d53158