Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4413aee25d...KI.exe

windows7-x64

7

4413aee25d...KI.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 09:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4413aee25dc8ce8fe809ebba723e8240_NEIKI.exe

  • Size

    819KB

  • MD5

    4413aee25dc8ce8fe809ebba723e8240

  • SHA1

    d7378d9a205f4e39c0d95e45d35a636a57b85c60

  • SHA256

    20061f0bf2246fc6a37746775c29a3998bceff26f807327772c5523d8a987c04

  • SHA512

    e8a422f072b5e0e880427f18cbf87218f9b43e4d54721b77002992bcf302e5586608d2c17d8ed340232aaf10d0cc97920cb4e1fae9d5b931ffca450ac9ed0b1f

  • SSDEEP

    12288:Go08BDxT2mSXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:GH8PT2sqjnhMgeiCl7G0nehbGZpbD

Score
7/10
spywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 15 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4413aee25dc8ce8fe809ebba723e8240_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\4413aee25dc8ce8fe809ebba723e8240_NEIKI.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\bin\Tools\run.hta"
      2⤵
        PID:2944
    • C:\Windows\System32\alg.exe
      C:\Windows\System32\alg.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4572
    • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      1⤵
      • Executes dropped EXE
      PID:2876
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
      1⤵
        PID:944
      • C:\Windows\system32\fxssvc.exe
        C:\Windows\system32\fxssvc.exe
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
        1⤵
        • Executes dropped EXE
        PID:4056
      • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
        1⤵
        • Executes dropped EXE
        PID:3588
      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
        1⤵
        • Executes dropped EXE
        PID:3628
      • C:\Windows\System32\msdtc.exe
        C:\Windows\System32\msdtc.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:1240
      • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
        "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
        1⤵
        • Executes dropped EXE
        PID:4636
      • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
        C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
        1⤵
        • Executes dropped EXE
        PID:4396
      • C:\Windows\SysWow64\perfhost.exe
        C:\Windows\SysWow64\perfhost.exe
        1⤵
        • Executes dropped EXE
        PID:1640
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4020

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
          Filesize

          2.2MB

          MD5

          d312237585f0f1e829800552bd3ba95b

          SHA1

          99864715620bc7bfb813ba5b9de9cb15edd63698

          SHA256

          b8714a5f76c4e1cf1e945ca15d3fe7e2cf0c20f303ea8ced15d4acb52ed2c844

          SHA512

          6e0d2a391d8051ed3788e19616364a2c2849bc066e05f659cb7fb049255817a028e6a28a501ce55eb60f68aab55ca00ab41b36c6fedb56eea6055df90b220ccb

          Download Submit

        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
          Filesize

          781KB

          MD5

          203325b947b25f039108cac71e674107

          SHA1

          a28395a395d505b11ec300095adeab2c275aa492

          SHA256

          bdde855eb861e6ca4bfc2dc07e7197a870a9b773bed77780340e521832ca5ba6

          SHA512

          184d689892c5908679d0296eb0dbf45358d2830eb0094611b1e1178b8fa8f7b0e0db2fdb376afb2cb754b15ef96ffe63e2a04d85c317cbaa101ac24351818790

          Download Submit

        • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
          Filesize

          805KB

          MD5

          dac6fa5c6a2c8e654cf44ae9d2817699

          SHA1

          4e541e2b563d7096b3ed2a926d8a9d048584b993

          SHA256

          a8658c067ea58fe36ac9be14c2cddf46506145ba1e462690747c3ae7586fa069

          SHA512

          8017d804da9f252ace21649527e9b9f88509304969e3e2bc41567a80c87890bc35f9327fbe007ab465aa3649be7c3b8a58ab3fdf15f548558900045d617182a0

          Download Submit

        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
          Filesize

          2.1MB

          MD5

          7878eb38c76872a56ac6f0b16f40fbcc

          SHA1

          bb17b69be40bf4256cb746956237bb9578f2db06

          SHA256

          d84f0b2ecc499795bb2d642047e96fdca4b3d3a50e4576c83049117cafdc2c8f

          SHA512

          fdd68fef342f5eee499d62e53d4c66c421a8beff8a5778dec782054c2f2a364532bbdb7ab6279fdd2a85728a7d80b512523c65cbbeda45dc1d25ce4c61ba78f8

          Download Submit

        • C:\Windows\SysWOW64\perfhost.exe
          Filesize

          588KB

          MD5

          198a6a4c28fab85d201d69b1932a19ff

          SHA1

          09ff1638292993e556dc3bdad0bafaf8c9b75ddb

          SHA256

          15304c3b85009c82d02aa9804316c988d3cfaaf2aa72829856b0f3d3ed3a9016

          SHA512

          49ca44dfd07e65b083bdf5d3a846f19c25d594c032407f7d52710e9f95c46aa788d1e6a2fb4c8c80881190880148ce9afcf6e696d80507f147494a069371ef4a

          Download Submit

        • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
          Filesize

          659KB

          MD5

          c5b13f58f50aec19a5f770a43927ce66

          SHA1

          34c02b7a8024cbb89b6fb5074b50af6faa5a1c14

          SHA256

          fe98d1da4217771df617302558049480548e65dc1e1b691be9a2cd76ba382299

          SHA512

          aeabf1495ab58763b0a82fc5fca4a2178682d3955517b6fda1d08658e5f571db192e43678f113f7582a695b38fb84034de67842a9b4fcce807d2fe982719eb12

          Download Submit

        • C:\Windows\System32\FXSSVC.exe
          Filesize

          1.2MB

          MD5

          68a8f485a46ab683b0fa6f838f8d2452

          SHA1

          6a643fa4f13b2109a9fd9071106569256a54b3a1

          SHA256

          cf45d9447dab3ea9cdfd5a848196be9e7d8f69e7120fa90038dc16ec57410656

          SHA512

          bbe41ff3e65e75088c54ed4c2bd4d5f24c2f260b83429602791281b00f3aa54a494202b67d7c05b6b00bed811d12c179e51e70ae0dabfd749394f309ce913158

          Download Submit

        • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
          Filesize

          671KB

          MD5

          b5b49b555c7511c9717312cf81423fa5

          SHA1

          251a8cf2b644ec7ae91c8783af0e8abf2ea25208

          SHA256

          3f2ead9fb4771f65ccf243ab648b71f051a16c690098f151f7781fe547bfe9b4

          SHA512

          970594253e1605bfce5adffd9565e0dc0b8003d653d9da35bc3872159248b889e6bac1571b5303894f16f90b141e4b44804938945bf5f07e9af5051e6c91a754

          Download Submit

        • C:\Windows\System32\alg.exe
          Filesize

          661KB

          MD5

          31df5b497982778468edf1957484e45a

          SHA1

          29e8a22d55aa83f37ca0d10dbdf846077e999ab5

          SHA256

          375e1387eb663582630c365fc14e4facd6b8d23ae1f100585e1f3472f8ef0090

          SHA512

          d37326733955c2828c6d1f379cc3bdc8bffd5e54d1b362c534d96c603cc3dcf198bcb73a81202ae6ab690ddae86ba4baed577e71b0875be492a20295d086100c

          Download Submit

        • C:\Windows\System32\msdtc.exe
          Filesize

          712KB

          MD5

          48ce91c0e925c9c7cabac629ce9c38c8

          SHA1

          8cacf25fccd5bb36865383e82b113a4f72ccc618

          SHA256

          a81508b3752d2f638a74872df6027e09d70f2a4ab3a1f73f37fa234cc2db317f

          SHA512

          d3ea19bb5fb45691d4eeaca5898d2567ea4711dae98c4d499f3b3fd6450b44ae162a67e1de15c12b9e6fcaba0a31af77898f61dce7d2da9e5fd73af5afa87e76

          Download Submit

        • C:\Windows\system32\AppVClient.exe
          Filesize

          1.3MB

          MD5

          90e56a70c626479f80d44dd49e3df78b

          SHA1

          d78100427164b8d99c1178f17962a6cb1acec5ad

          SHA256

          9c41827f85cfdefe2ca2ab191f54cf2ab922b4cff74e0bb5c96df160cf455bfb

          SHA512

          6031107f474bd30ea6a68e9422dc893ef4042de718a8dcd90ae5feffad7480159d655668ef6b36827cab4d7de7522284077c28dcf0a3f4091c0bbf4126fd5005

          Download Submit

        • C:\Windows\system32\msiexec.exe
          Filesize

          635KB

          MD5

          0b5e3633f6df64b4565cbe97808ec568

          SHA1

          256079db4f7551a53ed5f54004fcab969c1c4fb8

          SHA256

          df4f50dc3d9cdadc66e605fbbdcc0b562a873006aa203c7afe8e899419c6d053

          SHA512

          d9379a779f136b91700ff02bdae25c33f1299fa0e19280ad03e9b20ed05d0b7601470c334724243ebfaaff17e23133a5d2c5de088c118e705831a48706aa6101

          Download Submit

        • memory/1240-92-0x0000000000800000-0x0000000000860000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1240-91-0x0000000140000000-0x00000001400B9000-memory.dmp

          Filesize

          740KB

          Download

        • memory/1240-250-0x0000000140000000-0x00000001400B9000-memory.dmp

          Filesize

          740KB

          Download

        • memory/1640-127-0x0000000000400000-0x0000000000497000-memory.dmp

          Filesize

          604KB

          Download

        • memory/1640-274-0x0000000000400000-0x0000000000497000-memory.dmp

          Filesize

          604KB

          Download

        • memory/1800-137-0x0000000000400000-0x00000000004D4000-memory.dmp

          Filesize

          848KB

          Download

        • memory/1800-1-0x0000000002750000-0x00000000027B7000-memory.dmp

          Filesize

          412KB

          Download

        • memory/1800-7-0x0000000002750000-0x00000000027B7000-memory.dmp

          Filesize

          412KB

          Download

        • memory/1800-6-0x0000000002750000-0x00000000027B7000-memory.dmp

          Filesize

          412KB

          Download

        • memory/1800-63-0x0000000000400000-0x00000000004D4000-memory.dmp

          Filesize

          848KB

          Download

        • memory/1800-0-0x0000000000400000-0x00000000004D4000-memory.dmp

          Filesize

          848KB

          Download

        • memory/2876-25-0x0000000000680000-0x00000000006E0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2876-115-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2876-31-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2876-34-0x0000000000680000-0x00000000006E0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3588-211-0x0000000140000000-0x0000000140245000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/3588-70-0x0000000000990000-0x00000000009F0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3588-64-0x0000000000990000-0x00000000009F0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3588-72-0x0000000140000000-0x0000000140245000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/3628-89-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3628-87-0x0000000002280000-0x00000000022E0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3628-84-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3628-76-0x0000000002280000-0x00000000022E0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3628-82-0x0000000002280000-0x00000000022E0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4056-53-0x0000000000540000-0x00000000005A0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4056-60-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/4056-58-0x0000000000540000-0x00000000005A0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4056-174-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/4396-116-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/4396-263-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/4436-49-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4436-47-0x0000000000EE0000-0x0000000000F40000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4436-46-0x0000000000EE0000-0x0000000000F40000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4436-38-0x0000000000EE0000-0x0000000000F40000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4436-37-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4572-103-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/4572-19-0x0000000000700000-0x0000000000760000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4572-13-0x0000000000700000-0x0000000000760000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4572-12-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/4636-112-0x0000000140000000-0x00000001400CF000-memory.dmp

          Filesize

          828KB

          Download

        • memory/4636-260-0x0000000140000000-0x00000001400CF000-memory.dmp

          Filesize

          828KB

          Download