Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 03:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe
-
Size
327KB
-
MD5
8a51dc8f58c2c733233f2fd2d287b4fe
-
SHA1
b1b31d6b8ad36adc40a272796f0c012e9d01254d
-
SHA256
5535eab47e402dbb8ad50113cd19d821afe6b37ad6019e628289f8a5dadf1987
-
SHA512
6969c562878e9239ad2a85ee0d51f5d7df1949e2af8ed947c17df3be9710be4d36547519faf5a53a288c973ab3e2bc46f0c13fa6a30f1f87a83fb77fd7586589
-
SSDEEP
6144:T2+JS2sFafI8U0obHCW/2a7XQcsPMjVWrG89gkPzDhn2+6:T2TFafJiHCWBWPMjVWrXfn2z
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2804 dwmsys.exe 2932 dwmsys.exe -
Loads dropped DLL 4 IoCs
pid Process 2664 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe 2664 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe 2664 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe 2804 dwmsys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwmsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe -
Modifies registry class 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\ = "Application" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\shell\open 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\shell\runas 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\DefaultIcon 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\shell 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\shell\open\command 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\shell 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\dwmsys.exe\" /START \"%1\" %*" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\ = "systemui" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\shell\runas 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\shell\runas\command 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\shell\open\command 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Posix\\dwmsys.exe\" /START \"%1\" %*" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\DefaultIcon\ = "%1" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\shell\runas\command 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\shell\open 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.exe\DefaultIcon 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\Content-Type = "application/x-msdownload" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\systemui\DefaultIcon\ = "%1" 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2804 dwmsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2804 2664 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe 31 PID 2664 wrote to memory of 2804 2664 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe 31 PID 2664 wrote to memory of 2804 2664 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe 31 PID 2664 wrote to memory of 2804 2664 2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe 31 PID 2804 wrote to memory of 2932 2804 dwmsys.exe 32 PID 2804 wrote to memory of 2932 2804 dwmsys.exe 32 PID 2804 wrote to memory of 2932 2804 dwmsys.exe 32 PID 2804 wrote to memory of 2932 2804 dwmsys.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-26_8a51dc8f58c2c733233f2fd2d287b4fe_mafia_nionspy.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Posix\dwmsys.exe"3⤵
- Executes dropped EXE
PID:2932
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD5e7e89273f416be3fe8659d8472d2b352
SHA161ac4436c471d38cea63501fe8731b121627e010
SHA25647b27352d91f81f55d822a3f60c02bdedca7f04c6e74e38aed5a98fc5a27caa6
SHA512eac2fa63c13abc8a07716ba83a75040189219e94e12b77e316d208f8cf9421786c0572b6e3d0c32b179243815164f5f33d67b055f8eb0617f248bde1faf9bc8f