Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2024-09-04...py.exe

windows7-x64

7

2024-09-04...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    123s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 03:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-04_045d5a066cb22aa908048dcbead40f1f_mafia_nionspy.exe

  • Size

    280KB

  • MD5

    045d5a066cb22aa908048dcbead40f1f

  • SHA1

    fe347a27c3f9c9e7214b891a0128420330f31406

  • SHA256

    1b4701f89d5ae363fc9f4bc4bc37345486cf502b23d159880913fc73964d30b4

  • SHA512

    760e6bae57d6d69187e469ca3dc20f6e241cafe137547d38dbcfbadc8455349a5cda8624e11d2fd572de196b9e348e00d14f00a0fa8599d62ec50d97ae393aca

  • SSDEEP

    6144:AQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:AQMyfmNFHfnWfhLZVHmOog

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-04_045d5a066cb22aa908048dcbead40f1f_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-04_045d5a066cb22aa908048dcbead40f1f_mafia_nionspy.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:276
    • C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe"
        3⤵
        • Executes dropped EXE
        PID:2712

Network

  • flag-us
    DNS
    nwoccs.zapto.org
    csrssys.exe
    Remote address:
    8.8.8.8:53
    Request
    nwoccs.zapto.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    nwoccs.zapto.org
    dns
    csrssys.exe
    62 B
     122 B
     1
    1

    DNS Request

    nwoccs.zapto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Microsoft\SView\csrssys.exe
    Filesize

    280KB

    MD5

    a5a65c59cc9cbeaccee88fbd8b41043e

    SHA1

    91fd453940779ae3852543b958aa54c77bc9a799

    SHA256

    6a6a2352947de8beff44ecd6cd9c2fbf5f854a6906e240a7934b83a38c1b5615

    SHA512

    d32e27a7390b89ff88ae08a5fcb5fdae555732d2b3327b4bd46a4057db5dd627d54090132bb4db47f8343b914bd80f6b1f7a0ca613070ea296a23634d5c09350

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.