062f1d5e093138c8f4e3598c5c0e28f0558976ff89ea3579aaf3c2d983ebe5ef

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Size

280KB
MD5

58554ae82793e2fb9a351bc8de8316af
SHA1

270de32d4b69d205dd39ee2edc300008375b02de
SHA256

062f1d5e093138c8f4e3598c5c0e28f0558976ff89ea3579aaf3c2d983ebe5ef
SHA512

6a53772765585bbe72b1acb5742d393cfd67d814f163157873ff45738041cf589507a22581d60bf5d50e78cb540786397d9dad5f167174b270ef217bff819280
SSDEEP

6144:hDTz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDK:ZTBPFV0RyWl3h2E+7pl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2608	csrssys.exe
2800	csrssys.exe

Loads dropped DLL 4 IoCs

pid	Process
1220	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
1220	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
1220	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
2608	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\open\command	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\csrssys.exe\" /START \"%1\" %*"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\ = "wexplorer"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\csrssys.exe\" /START \"%1\" %*"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\open	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\runas\command	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\ = "Application"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\DefaultIcon	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\DefaultIcon\ = "%1"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\runas	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2608	csrssys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2608	1220	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe	28
PID 1220 wrote to memory of 2608	1220	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe	28
PID 1220 wrote to memory of 2608	1220	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe	28
PID 1220 wrote to memory of 2608	1220	2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe	28
PID 2608 wrote to memory of 2800	2608	csrssys.exe	29
PID 2608 wrote to memory of 2800	2608	csrssys.exe	29
PID 2608 wrote to memory of 2800	2608	csrssys.exe	29
PID 2608 wrote to memory of 2800	2608	csrssys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_58554ae82793e2fb9a351bc8de8316af_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe"
    3⤵
    - Executes dropped EXE
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe

Filesize
280KB

MD5
5ac2567ae0930921b12effb6534e2625

SHA1
07c4398b98aea3c7245562fe7bfe36188515275f

SHA256
ecb265a94b71da9a3779566dbe7eb987016ec947645d7e9b219e5847b298d4a4

SHA512
f9496d751a7d14f0eeb4ed23103f27ec03605260595541732448be5a9ec143861361d58ec5cf6739899dc65a1d79a3b881af1a227da052e4b7face3cf6bae849

Download Submit