Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a811a3c1e7...KI.exe

windows7-x64

10

a811a3c1e7...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a811a3c1e769aa79d9493942c4976160_NEIKI.exe

  • Size

    1.6MB

  • MD5

    a811a3c1e769aa79d9493942c4976160

  • SHA1

    e972b66d9eaf4b26f61fcfe762ea03e3ee57f85b

  • SHA256

    9b0ec0360c57721dba7aa2cdae5cff0eec452c1879763afa0c74cc4aa7e747db

  • SHA512

    78ec5b29e403fd8e14b4f8a2f31548a17063e7a51dc0bff97986e5fa06eb29dd80f977e1460efa815926b21457bca97d88f62401166113f2feb558aa2a16563e

  • SSDEEP

    24576:PFOaskwW4oHIIH950ysEtbJ4gwMmaRaV7rzwYVtH0E8ma8jT+RRiQIWYH17tu6t2:trwCB9+YOaILVtH0E8maWGiQI3V7tNt2

Score
10/10
evasionpersistencevmprotect

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a811a3c1e769aa79d9493942c4976160_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\a811a3c1e769aa79d9493942c4976160_NEIKI.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1116
    • \??\c:\users\admin\appdata\local\temp\a811a3c1e769aa79d9493942c4976160_neiki.exe 
      c:\users\admin\appdata\local\temp\a811a3c1e769aa79d9493942c4976160_neiki.exe 
      2⤵
      • Executes dropped EXE
      PID:2936
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:632
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4524
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4620
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3508
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a811a3c1e769aa79d9493942c4976160_neiki.exe 
    Filesize

    1.5MB

    MD5

    b2df0057569ffe9c42fa88e639ac7046

    SHA1

    1798be8ca6f11c08b982f60e42d1c632f0631077

    SHA256

    eb507ee4b4b347daa400c41408146a2ffc0503496e500b8177dd1a9e877d7924

    SHA512

    1ef703191775e6f32790664ea34b80e09125750a5906c4097a5cb478ebe56cb9b4ebf3b64b5249ea6c4afb1fc158380340cab7c76c2489e724804906278e0233

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    be265b1e6740ec88df722c23028f865c

    SHA1

    17565611eb2bcb79e11898b06309d5c6c1d414dd

    SHA256

    8acf1f067648deb6cd14fc399720db54f3c88a566c633e38e56076b9ed73be8e

    SHA512

    16b709d397cab6d943c3b9ac4e34705d7405b1fd07c85190d16b52f12682a5fb1a234a22b61b0aafafcfe37db3e26541447c6bffd4347fd1cc1507777eb85867

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    6477f6d1cd07c56e8f29ba684e030ae5

    SHA1

    880ffe02c380bb2951f88b30a928be7a87587146

    SHA256

    72de6d92b4697384847573945625a3be3183bbec6d413ce38779f48ea8a1a685

    SHA512

    0aa55d6f76fc87f0e744a8143f7340b45f446f1e946e24a6ad03665966d8cc5076eaac3e3cbf92d3af3b056642d8e2627a64cb21c40de9154a85d405380d708f

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    2ec8328630ed7c6d505830c0bbd6557c

    SHA1

    d2abdeb95896e04169665c77944fbb1912314d79

    SHA256

    d0c7c894ae995a96e96a1cc19b749b0530c3b31ef2b1c73b6d3e8b07a6bc8520

    SHA512

    5d802c1657bb066b48f4a2033d07e92c0326a3ded750ec3fe2debe30b047397c87889a6698ede9e7de7ebd125ed7b004cd5df2d26c90fa523cf28e167810d9e4

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    85770674a43c8281b89af7163e782271

    SHA1

    1fdd62f8ce1113fe0f8e90cc0dee9748a03f212d

    SHA256

    e4cb2c6155c793578ce04fa0f1b0ff6614370107a1f87fa8345185ac63bfcabb

    SHA512

    1b9d32754b829f237b919744d1ce507e130d781e6f62b8f455fbd8bb3d5ea8f0850a665af1649b1f03a467e33346c82dcf2e3629f120bdc70d89b013afb27993

    Download Submit

  • memory/1116-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1116-43-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download