12ac675257174206a70236522813f851ea0b8c194ffdd90e12ebb2ed8e5ed8d7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Size

344KB
MD5

d9b6f44dc1badca21a3a5945c5218252
SHA1

0def5b228d636e0a839c51883b7077c7eb4cf9eb
SHA256

12ac675257174206a70236522813f851ea0b8c194ffdd90e12ebb2ed8e5ed8d7
SHA512

69f46751d9670d5adc7eff6382e4b98d1b314c2b7c0a2c0f708b31adafc25ed21de32883e69c4df8cd9a1d76eccacc670a1aa8b50064f3f870f33e2d97236967
SSDEEP

6144:STz+WrPFZvTXb4RyW42vFlOloh2E+7pYUozDBRm1+gmN:STBPFV0RyWl3h2E+7pYm0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2116	csrssys.exe
2704	csrssys.exe

Loads dropped DLL 4 IoCs

pid	Process
2408	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
2408	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
2408	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
2116	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\DefaultIcon	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\shell\open	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open\command	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\ = "Application"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas\command	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\shell	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\csrssys.exe\" /START \"%1\" %*"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\DefaultIcon\ = "%1"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\shell\open\command	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\shell\runas	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\DefaultIcon	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\wexplorer\shell\runas\command	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\csrssys.exe\" /START \"%1\" %*"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\ = "wexplorer"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2116	csrssys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2116	2408	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe	28
PID 2408 wrote to memory of 2116	2408	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe	28
PID 2408 wrote to memory of 2116	2408	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe	28
PID 2408 wrote to memory of 2116	2408	2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe	28
PID 2116 wrote to memory of 2704	2116	csrssys.exe	29
PID 2116 wrote to memory of 2704	2116	csrssys.exe	29
PID 2116 wrote to memory of 2704	2116	csrssys.exe	29
PID 2116 wrote to memory of 2704	2116	csrssys.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_d9b6f44dc1badca21a3a5945c5218252_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe"
    3⤵
    - Executes dropped EXE
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\csrssys.exe

Filesize
344KB

MD5
bad0feb32d4a17699aad2eaf305ab916

SHA1
a49964ea7c9e29f6781a363812ffc0f333f57af4

SHA256
1e3002b852cce9d1276161a898d8d775f299e11a5ef2383699de1ab5aef096f2

SHA512
6585bb685ac494a9eff3ae5fac74d83630242f30f6218ec659b4de1bb9ecdd5a2ac958debe646adeca1d96cf1c93b425d8858b8f3d22f638e107c3ca87a978c7

Download Submit