Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7131e5a260...KI.exe

windows7-x64

10

7131e5a260...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 10:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7131e5a260e0fe39ca3b465999a1e160_NEIKI.exe

  • Size

    73KB

  • MD5

    7131e5a260e0fe39ca3b465999a1e160

  • SHA1

    beca821bdba6d07b2400e6426fc572d68890559c

  • SHA256

    27909065e50cb895866e3a49b7f12e8b43b70e1a896f6abed62b0836cc2bebde

  • SHA512

    5de6b3757ff3497ff0e24f397f7dc64f7f1168bb2f04bb4b8ea27944e9fd8dc9c706da73c6f0e3ec4a3876d0730081a5a69d1962b3df216dadf7ee6f8fba4a03

  • SSDEEP

    768:x/nbDcnZARkcr07JP9Xdg7SV5bWNy1IMakG98N+hayyyOHoW5iKTNGNXft9RxVHj:xDDcIJ0JlXuGEUaWMnHcJOVkr1B6

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1144
        • C:\Users\Admin\AppData\Local\Temp\7131e5a260e0fe39ca3b465999a1e160_NEIKI.exe
          "C:\Users\Admin\AppData\Local\Temp\7131e5a260e0fe39ca3b465999a1e160_NEIKI.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2084
          • C:\Windows\SysWOW64\ouktaner.exe
            "C:\Windows\SysWOW64\ouktaner.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2052
            • C:\Windows\SysWOW64\ouktaner.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\axbookib-dom.dll
        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

        Download Submit

      • C:\Windows\SysWOW64\eavneafoak.exe
        Filesize

        74KB

        MD5

        db222fb67e37207668003e22958d0704

        SHA1

        5115b966fca62a9aa3998317432dddfe374ce14f

        SHA256

        732096f35de1baa6c8263fbcd86d8b142046e1dfd62c4bff9d6511f5f3975d25

        SHA512

        d2f735422ce9927eb33f62e1e1a3abfda97fe6cb84f3668ebc0aba51520fc7590394628c64543e3e9d84274451883fc643aa1191662af85c604ebf603a3417e5

        Download Submit

      • C:\Windows\SysWOW64\inhoogom-eafex.exe
        Filesize

        73KB

        MD5

        ce9f7e191e87b302ab653ae075d92093

        SHA1

        88f98cbe0504d3166cfc93835ee12a14c6404d99

        SHA256

        61e4d32718b07cc8c8a12350b354d875d3ad2c05928e608872599ba82e6fa7ce

        SHA512

        81999d67a6fe07c9c2071f4fc434dae246586e510f48b2e15dacb40e7ac2a4ea5bf8b722dbee8766cf1e0f4ba95ef7fa341e000db742f2d3da9812624c16c0be

        Download Submit

      • \Windows\SysWOW64\ouktaner.exe
        Filesize

        71KB

        MD5

        e65b71570ecaf29876b4583198640fc5

        SHA1

        7eb263e7429434b951fc80d34a8decffda3e8b7b

        SHA256

        46e154db172c5b219e502b11aba71cae5310607a6aa1df4192c50d46d78f1266

        SHA512

        fdc4cb4431b64c0e6d5cdd005bbb10ed420da72a07a018d3eba4466625f6f053fdab79b17aa68ef86c3e99350bd13c39ff27c3893162be887db0a3c7d9b39b60

        Download Submit

      • memory/2052-53-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2084-7-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2528-54-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download