Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 21:22
Static task
static1
Behavioral task
behavioral1
Sample
39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe
-
Size
4.1MB
-
MD5
39ce1a9e6ea14eef61f4785fa5725b10
-
SHA1
8168d378ab9761de383659128816892e1ab0fc26
-
SHA256
f5030a7c68a0d63ba7c6aebf321466c9705e64bfb615235bbf56f778220c3ea2
-
SHA512
a45388c2fae2b88f52beba7dd49dd888a11b07037617297364335c93e60152044a77daee903003f7fada626210e747e6d8309fe5045eef556a901503e1c85595
-
SSDEEP
98304:+R0pI/IQlUoMPdmpSpG4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm95n9klRKN41v
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2024 devdobloc.exe -
Loads dropped DLL 1 IoCs
pid Process 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv43\\devdobloc.exe" 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1U\\optidevloc.exe" 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 2024 devdobloc.exe 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2024 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 28 PID 1652 wrote to memory of 2024 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 28 PID 1652 wrote to memory of 2024 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 28 PID 1652 wrote to memory of 2024 1652 39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\39ce1a9e6ea14eef61f4785fa5725b10_NEIKI.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\SysDrv43\devdobloc.exeC:\SysDrv43\devdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5946a2d9e0eebda9e8783d4ec03a9bd93
SHA1c2cb95ffad4947a2b68ee61433d1547169ab3f65
SHA2566bc09b6bb180047fab60adcc6c79e605ddae76b974dbce92bb064f0d29efbeaf
SHA51280431e56d14efa990d1be144dd7ec00e8c8adbe73a4c091cf4cf99e264e69842e8ddb303d42fa1a84465c57139262a211a137f134a4389781eedfbd404bca3e7
-
Filesize
209B
MD5448a318c901eed7b723d940a20a9a083
SHA11dd3abdca9c1f80e7c8a550b470ca20d6a9019bd
SHA256e1cffff0f0646f7852cdf2c470f9565bf30ec1e38e9f94b5a12b7265743a70ee
SHA512ffbee6e1dbaeffa28726286679120c659335b45109921594a17a17043a326b32a3a0412e35f5268ae21a58162acf111606a981458e329b8b4d4482e7724f6d47
-
Filesize
4.1MB
MD50df3ea2b988e016ed56063d9c89fd5e2
SHA103fecb05439a3b8241934fc6db6b584d3b53132e
SHA256f4af2b147eeff23fa4dcd81e6022c3dc049be520d1d2c71d3954bf5b94562c5f
SHA5125920d1d53eb649f8a8eb3960821fb4b3c7baaf2452376f48b4fd5bcc5e2dc4e85ec4a60568ec7d9fc430829ca642f7e3737f7490f55eb7ddf63fb9bce274be5b