Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 06:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fac9a87226a0d93291f97d1fb6618230_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fac9a87226a0d93291f97d1fb6618230_NEIKI.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
fac9a87226a0d93291f97d1fb6618230_NEIKI.exe
-
Size
156KB
-
MD5
fac9a87226a0d93291f97d1fb6618230
-
SHA1
2c4b982850064f4e4a1be01d2b7debdacbe2cd39
-
SHA256
0dd53eb18a909b28fcfb935396b62d17fb27b078e5f61a1e7944a0d66b871c77
-
SHA512
ec38d0f9ae1465c54e9f78e712a29beee4a861efe16de777776b0551558f63b9ba8f78c2e33509d5cbd734c506d0645d175909282c8331f2670e3d355d579743
-
SSDEEP
1536:Y1pMooIDVoHmSiUsr9QUpHgsbRBGS17l5/rlAOXBOhwLAKtoJi+A7pfYoyv8+0Eu:Y7MLuamxrOUJgsbT7OukKtdxyv8+jS
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ceuiveb.exe Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fac9a87226a0d93291f97d1fb6618230_NEIKI.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation fac9a87226a0d93291f97d1fb6618230_NEIKI.exe -
Executes dropped EXE 1 IoCs
pid Process 372 ceuiveb.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /m" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /z" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /a" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /f" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /g" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /k" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /x" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /v" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /i" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /p" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /c" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /q" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /r" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /s" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /h" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /t" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /b" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /u" fac9a87226a0d93291f97d1fb6618230_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /w" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /d" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /o" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /l" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /e" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /u" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /j" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /n" ceuiveb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceuiveb = "C:\\Users\\Admin\\ceuiveb.exe /y" ceuiveb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 fac9a87226a0d93291f97d1fb6618230_NEIKI.exe 2636 fac9a87226a0d93291f97d1fb6618230_NEIKI.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe 372 ceuiveb.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2636 fac9a87226a0d93291f97d1fb6618230_NEIKI.exe 372 ceuiveb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2636 wrote to memory of 372 2636 fac9a87226a0d93291f97d1fb6618230_NEIKI.exe 90 PID 2636 wrote to memory of 372 2636 fac9a87226a0d93291f97d1fb6618230_NEIKI.exe 90 PID 2636 wrote to memory of 372 2636 fac9a87226a0d93291f97d1fb6618230_NEIKI.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\fac9a87226a0d93291f97d1fb6618230_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\fac9a87226a0d93291f97d1fb6618230_NEIKI.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\ceuiveb.exe"C:\Users\Admin\ceuiveb.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5b77e51024617dc393d5609cd654abfe6
SHA16994f858b847c94e49271587481b735f49d098df
SHA256536b9f2490ce6873150e3ae51c1b2744c8afb4014c507e5d23911616c024fcab
SHA512318a43ca67677d6c042170bf7230c6f23b531bcdd7ab8e99dd2ffff207a272f5913571c3df9b88948e0861c1373708c4381f9c698915065ef694d4ed17cffa3b