Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 22:48
Behavioral task
behavioral1
Sample
8563209274cd91effedd6b6c74c3abe0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8563209274cd91effedd6b6c74c3abe0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
8563209274cd91effedd6b6c74c3abe0_NEIKI.exe
-
Size
136KB
-
MD5
8563209274cd91effedd6b6c74c3abe0
-
SHA1
89ed72201445a357b8ee814e1cdc48b9af271da1
-
SHA256
31ad5b6eaa002c74394f3111d3fa60c721ebd93931756fcdacf2ac57000a75f1
-
SHA512
90c7d6ea9af99f8d7b17b4fc6bb38c4b09c4bbe0f678ce0e5eed4f017c36ede713f49fb5a4473b96b52aae80523ff1b54b594592a6c931f65421ab9ebd76f88a
-
SSDEEP
3072:AE9ByF5wP7Ht99mbaa+vKAzWvSVJSwpi6DsL:7907wTr9mea+i6WKQz
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x0033000000014b18-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2600 pfwoyhh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\bjvdwgg.dll pfwoyhh.exe File created C:\PROGRA~3\Mozilla\pfwoyhh.exe 8563209274cd91effedd6b6c74c3abe0_NEIKI.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2848 8563209274cd91effedd6b6c74c3abe0_NEIKI.exe 2600 pfwoyhh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2600 2036 taskeng.exe 29 PID 2036 wrote to memory of 2600 2036 taskeng.exe 29 PID 2036 wrote to memory of 2600 2036 taskeng.exe 29 PID 2036 wrote to memory of 2600 2036 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8563209274cd91effedd6b6c74c3abe0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\8563209274cd91effedd6b6c74c3abe0_NEIKI.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2848
-
C:\Windows\system32\taskeng.exetaskeng.exe {C53DF466-E70C-4696-ABA3-86EFBA667D4D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\PROGRA~3\Mozilla\pfwoyhh.exeC:\PROGRA~3\Mozilla\pfwoyhh.exe -zhxzcvh2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5fcd5fb70037d7fa241bd9a1a4dde2143
SHA100ea3639dc22256e814794d26b19b274ab7ef220
SHA256bd5c5278cde1ab54c2e4c70d6b7de04e8246b147787ed543ad7051212badce50
SHA5125c183e6d4e16cf706e044eda78a9f2c57ec2f5f0b2a0523b301410fad34657180d1141168568b42c10d06ab31aaf10eb6866d135354670c03bb88bde3fe25440