Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
212ad48783f5d894386a5172672de1d0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
212ad48783f5d894386a5172672de1d0_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
212ad48783f5d894386a5172672de1d0_NEIKI.exe
-
Size
576KB
-
MD5
212ad48783f5d894386a5172672de1d0
-
SHA1
5c547a6a92db7c3ca3d6382711a7662efab53beb
-
SHA256
cc1879bbd8f4c99007961c1d9dda24a57d10d4cba0edeb2b4734e709259d6cb7
-
SHA512
5060a0b3e251f478e6cab07145ff606395c681652d0f80f23ef927aeecd04847a853a9442a3ee4abf0a1ee0ae677bcf94829f38740909015ff01685447b691da
-
SSDEEP
12288:PmWhND9yJz+b1FcMLmp2ATTSsdxmWhND9yJz+b1FcMLmpG:PmUNJyJqb1FcMap2ATT5rmUNJyJqb1Fl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4980 svchost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d60745cc = "ÿ\u009d´\x1bõº[b’Æøá(\x18Ô™`©,\x18—™~Hón(fµd\rÀôš„”<ºý¬œÅÄ*p\x0f÷tçPÜød÷üÜ„¸lèЇ\\ÔÔ’„”]z\fp…\x05ü÷‡Ÿ¸·Ø\u009d?µŒ\x7fÔ" 212ad48783f5d894386a5172672de1d0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d60745cc = "ÿ\u009d´\x1bõº[b’Æøá(\x18Ô™`©,\x18—™~Hón(fµd\rÀôš„”<ºý¬œÅÄ*p\x0f÷tçPÜød÷üÜ„¸lèЇ\\ÔÔ’„”]z\fp…\x05ü÷‡Ÿ¸·Ø\u009d?µŒ\x7fÔ" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 212ad48783f5d894386a5172672de1d0_NEIKI.exe File opened for modification C:\Windows\apppatch\svchost.exe 212ad48783f5d894386a5172672de1d0_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe 4980 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4420 wrote to memory of 4980 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 83 PID 4420 wrote to memory of 4980 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 83 PID 4420 wrote to memory of 4980 4420 212ad48783f5d894386a5172672de1d0_NEIKI.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\212ad48783f5d894386a5172672de1d0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\212ad48783f5d894386a5172672de1d0_NEIKI.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:4980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
593B
MD53b03d93d3487806337b5c6443ce7a62d
SHA193a7a790bb6348606cbdaf5daeaaf4ea8cf731d0
SHA2567392749832c70fcfc2d440d7afc2f880000dd564930d95d634eb1199fa15de30
SHA512770977beaeedafc5c98d0c32edc8c6c850f05e9f363bc9997fa73991646b02e5d40ceed0017b06caeab0db86423844bc4b0a9f0df2d8239230e423a7bfbd4a88
-
Filesize
593B
MD5926512864979bc27cf187f1de3f57aff
SHA1acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b
-
Filesize
457B
MD5531ec87a0b2f9477a52d88b111d0d46a
SHA150a72e5752075309f91c062e0282a7e7cd1e751e
SHA2564875b451859b1eb8d0d3b040b1bb8d654d212edb6d9c721cf0f4372129579385
SHA51207994963fd76b31ef0ba2c7f418dcb3ee0290f6baca2d8ec63a6e6b861557b13fbc20d2f0a10a66f35c4d72d4d2c1920ac88b96174604f2f8856868912327da1
-
Filesize
64KB
MD52face2cbd0f96abae5abe874defc8c7f
SHA10223a066fc9d9e3f0f8ac48a13e067c7ee711fee
SHA256cbcb10c280c0dd4e613d303ac9a2cf1036be51a71a6e9726538c10808d8db741
SHA5122374b9149baaa2b4b364e5156249bc67d6f94949a9cbb69eb290881ac8cee788eb7687cb11ba818c95555be4688ad9dc2985d1b32fd928b3e52bb4c83c492104
-
Filesize
100KB
MD5884049ddcc27e9d791e354ca75422a20
SHA1bba02df6890f0cef6d1726c7230b0df129944aaf
SHA256988078a4d62de449dc63c43a66b0190741ffe42dbd6673cf936909f44e053a23
SHA512957b6a8d5deed8b154e592c092e26f63b6f94d56e890b9cf4146b822473effab4671995e701004919b86a436d019d9379d642b8582b5f45077a6820964928bc1
-
Filesize
22KB
MD53af219e65b19ff996b842dd4b9fd034f
SHA18b53afda79e52bb485877b3a1ae3cd41b139ee73
SHA2560a0a6b697492df99d62a26c873f6ecb42568f51817e62565e678cef2eec9b8e9
SHA51267c9dc795756ea9a3fd4df5811a8bad30768086713f7ba85d1bb587a1016e877ed7ed39020d29648078b4a36a013d245c10c0e06b100f89a201206e705ecfed0
-
Filesize
576KB
MD5a2a038b1e2b6c565f3e6919a77dc1f63
SHA14a83be67c034750dd31d56bd8ac372f883087b45
SHA2563831545e8374a996a85add528bc905781c34d68ed8cf6d479d3e510ae2f7248a
SHA512380b10078a15c0ef4fd14fac558de5c83d7d0f48e4355b6607e581d144d8b51ac990649faaa840b273534b36c6b1f6197ea112756b10b14263549c04b9308815