Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 20:06

General

  • Target

    1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe

  • Size

    2.7MB

  • MD5

    1cfbd4c4c14b6506acde10bf31170bf0

  • SHA1

    3bc6a69835817551378f9f5219f299b6e2ee7b33

  • SHA256

    2c595c3423a441e408f13cf00d98a9eb0a0e813252218758ffbb3c7e6287eb12

  • SHA512

    26f26a2fcb569cffe3dd6b6a4ae310f08366e84d8bb1ea516f024a002f17b380dbafc3537c82f0bb2fc61ba7eebf17a3f871c943ca4f29a1f9e9e65848e3b178

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBG9w4Sx:+R0pI/IQlUoMPdmpSpA4

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1cfbd4c4c14b6506acde10bf31170bf0_NEIKI.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\SysDrvK9\xbodsys.exe
      C:\SysDrvK9\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZZH\dobasys.exe

    Filesize

    2.7MB

    MD5

    1e31d49867e1430e2c2e8785fb772d90

    SHA1

    a6cf5ae182d4ef5838ad7decbc95bd2233791403

    SHA256

    27499571958a5a0f2962b8448215cba9523c3e97b0681f9a32fafbabea6a896b

    SHA512

    254ccf444c5bba6b48c7fd1c7b3fbabfc55b9a154577931ea6f0f95458ef48926353e07231d4e89d706fa928fcd6adca4a35aa851f78682f4a8b575a74cd12ea

  • C:\SysDrvK9\xbodsys.exe

    Filesize

    2.7MB

    MD5

    1b617efee32dab4e42d770e535e27a1d

    SHA1

    969636839aed8d9513476f9231f4f994fba5f2fb

    SHA256

    ad5dc4d5d2b2d70a3f8813c09eea0893f6be7a44eadcb9e0daf2eb02cf92785f

    SHA512

    91a39203bcdea503d58f2705e0f855e25f3612243f0687837a733a1714791c1f5bcd9163465d51270c5eceba54a327ac368d8c630ae17117bad0d3e174aaae4b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    2487cc4b1d863a2f870ac6ce38a21f79

    SHA1

    4a4d6391cd5932ee004e47c8ee84ac3492b3c101

    SHA256

    f7a29b842bc77bfe0991185957afe9444c3f062b2f6f725e2dd352b7da42c21f

    SHA512

    2d55d4667969ace1952f1131fdf0d5190d71e9929ee040ee61d63a04a53c6931e4df669cb37a3ab469838544ed2ac27681e343b6be4d42e59966898352177ff9