Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe
-
Size
280KB
-
MD5
ceb8d72171999b8d9901f10e0d90103d
-
SHA1
cc46b41b3005a8dafa3cdcf871c27d9da582080c
-
SHA256
3b4cf516bd4119cbbdcf878b99d6094963fe0cac3dd51a0cc9d61a0ac2c3a6b6
-
SHA512
fbedff636a02fc4354fbafc0b1fef21fdfb2e6e5325b1536e2499c14bb0a64e506d009d2ca57e8919b1e793a2b5eaf51157c6130137b3471931f01ed92eea8b5
-
SSDEEP
6144:RQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:RQMyfmNFHfnWfhLZVHmOog
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
csrssys.execsrssys.exepid process 2520 csrssys.exe 2940 csrssys.exe -
Loads dropped DLL 3 IoCs
Processes:
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exepid process 3008 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe 3008 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe 3008 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 28 IoCs
Processes:
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\shell\runas\command\ = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\ = "wexplorer" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\ = "Application" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\shell\open 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\shell\runas\command 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\DefaultIcon\ = "%1" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\shell\open\command 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\Content-Type = "application/x-msdownload" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\DefaultIcon 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\csrssys.exe\" /START \"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon\ = "%1" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\shell 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\wexplorer\shell\runas 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\csrssys.exe\" /START \"%1\" %*" 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
csrssys.exedescription pid process Token: SeIncBasePriorityPrivilege 2520 csrssys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.execsrssys.exedescription pid process target process PID 3008 wrote to memory of 2520 3008 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe csrssys.exe PID 3008 wrote to memory of 2520 3008 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe csrssys.exe PID 3008 wrote to memory of 2520 3008 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe csrssys.exe PID 3008 wrote to memory of 2520 3008 2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe csrssys.exe PID 2520 wrote to memory of 2940 2520 csrssys.exe csrssys.exe PID 2520 wrote to memory of 2940 2520 csrssys.exe csrssys.exe PID 2520 wrote to memory of 2940 2520 csrssys.exe csrssys.exe PID 2520 wrote to memory of 2940 2520 csrssys.exe csrssys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_ceb8d72171999b8d9901f10e0d90103d_mafia_nionspy.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Microsoft\Sys32\csrssys.exeFilesize
280KB
MD571385b07084f58738ace75e5402f49ed
SHA126daefe62446afedad5e04479d23904167be8561
SHA25621ad496c9b0fc763076c31299d6108c495be19423e61e549b3c801b75217d98e
SHA51292dde462fbf26d68b3b8e35cd960949f7f53cfea64c672fd2fc2f7e147bfe44e89e9595fd9497889926899ae4d214fcb5efc309c41e0f8e5f9cb76ea47cab3af