Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 13:31

General

  • Target

    c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe

  • Size

    119KB

  • MD5

    c61e7d61a2d3fb46d53cf8395043b4d0

  • SHA1

    7f7926063a828b190cf41b4043007f561e3565d0

  • SHA256

    5356e532f3ed20944de09a0f02455093de8ea6ac8318411affbf86a02885d270

  • SHA512

    9284f686d392b47dcfbc4825b25e8551083db92d7db300b4c4af030672c39a413f05ca9ee851828d86b4e7eb8da167264d94b979aaf217a2ff1ca4ee7e0c3a30

  • SSDEEP

    3072:sOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:sIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 816
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    e0a629788eef2da3505964f48a435412

    SHA1

    de8038fd3a8ad588f2bd3c91d5754df564b845fa

    SHA256

    8088acfead4a1e3839ba385ac06b38ea3c1288eddd05a09c0fbd9c5bdb4e723d

    SHA512

    0555fd3b8772b91525124e926df93f6f12264f2f3a9c96357eebec3ac1179e9139f74d3d5dcc85141dc37d938497924a41734deb3faf7f7349abb48dd9e2f684

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    e2d829fc9b153f9a0185f2496211440c

    SHA1

    27e7c0cdb97ad93fd4609d924be66820e93b8679

    SHA256

    f018775a2eaf8486586fb08d6c63d39495fdc7f6a0ee8d1df2c0a08aa0f096ae

    SHA512

    7ffa2f8674dd3964b5a4f57f90ba81f86cf167a08b0b1aad35c1b14e140bef7272e56a4b138e0db61bca1d1083d10f903d094cc3692478b5dbcb9c3e3843a2f6

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    daf15b7a20a94c843e884cf264462a92

    SHA1

    149ab9c451e9b0ac81960b1bbed05b0c279d433a

    SHA256

    745960906bae8505a2c5fa3ef7e59ac715e327652061bb3f8e8ca6aac95b1127

    SHA512

    0b3365bb7091a168cc0d18ac1aa40df95cb5627f88e1b9341f05dc1525f9d76af86c992f7ea111af52d403a068b6b14524e065d4f7259d6942eb50e0d8464f65

  • \Windows\SysWOW64\smnss.exe

    Filesize

    119KB

    MD5

    1624b3c9766a8eb01cc55a99519eb566

    SHA1

    4d4e69251659844fc731e0218465356a5345a18f

    SHA256

    7035e74a50c2fd2ccc4fb6f6affc5ad8b7170d9258a4bdc2481c17277b3631a7

    SHA512

    825753b71abc2b395b4006ba9f08f1d3b34cfc2bc90f60eb9d6ec57e3eb53e7c726eb9bc5f344d920cc50b6b795fb6b20caa69016f1ad35b6ab95d50a2a7fa12

  • memory/2148-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2148-16-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2148-18-0x0000000000340000-0x0000000000349000-memory.dmp

    Filesize

    36KB

  • memory/2148-27-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2148-26-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2496-34-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2496-41-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2496-47-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2716-28-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB