43ad7b5b98889dde80869c308f806c12eed6dea74d00e44aae00a883c8da455c

General

Target

2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Size

274KB
MD5

e74f9822aa60915ec053281ebb5b1f21
SHA1

a78da3d5873df693d372a142b900de309bf38bfb
SHA256

43ad7b5b98889dde80869c308f806c12eed6dea74d00e44aae00a883c8da455c
SHA512

8910a72fcaaf886da756902636cae2373262fb88575e268a81dda5b9326e3be28086034de9ec5dbaff018c4aff62889f46f48e7dd9035fda83da6c4676737642
SSDEEP

6144:KYvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:KYvEbrUjp3SpWggd3JBPlPDIQ3g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

csrssys.execsrssys.exe

pid process

2872 csrssys.exe
2540 csrssys.exe

pid	process
2872	csrssys.exe
2540	csrssys.exe

Loads dropped DLL 4 IoCs

Processes:

2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.execsrssys.exe

pid	process
2196	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
2196	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
2196	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
2872	csrssys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

Processes:

2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\open	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\runas	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\runas\command	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\ = "wexplorer"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\ = "Application"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\DefaultIcon\ = "%1"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\csrssys.exe\" /START \"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\csrssys.exe\" /START \"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon\ = "%1"	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\DefaultIcon	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\wexplorer\shell\open\command	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

csrssys.exe

description pid process

Token: SeIncBasePriorityPrivilege 2872 csrssys.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2872	csrssys.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.execsrssys.exe

description	pid	process	target process
PID 2196 wrote to memory of 2872	2196	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe	csrssys.exe
PID 2196 wrote to memory of 2872	2196	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe	csrssys.exe
PID 2196 wrote to memory of 2872	2196	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe	csrssys.exe
PID 2196 wrote to memory of 2872	2196	2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe	csrssys.exe
PID 2872 wrote to memory of 2540	2872	csrssys.exe	csrssys.exe
PID 2872 wrote to memory of 2540	2872	csrssys.exe	csrssys.exe
PID 2872 wrote to memory of 2540	2872	csrssys.exe	csrssys.exe
PID 2872 wrote to memory of 2540	2872	csrssys.exe	csrssys.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_e74f9822aa60915ec053281ebb5b1f21_mafia_nionspy.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe"
3⤵
- Executes dropped EXE
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Posix\csrssys.exe
Filesize
274KB

MD5
cd2749ebed9b37424314fb21bca40c23

SHA1
8301a1fbf7e27d2aaec3eb7f37199c1e7cd67ecd

SHA256
a7e42ef836031411b3c5e67abc3f279fae6d9ba9c2e3fe5e413ecde67def3ce8

SHA512
10967f8f439d21c1a038e82cac1e2bd62390cc9cec00574148389da2c9b20d051993ec00887d72a0214015df3017257fda391e1924e0ceba3b3e57a34ebc0a98

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads