Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 13:31
Static task
static1
Behavioral task
behavioral1
Sample
c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe
-
Size
119KB
-
MD5
c61e7d61a2d3fb46d53cf8395043b4d0
-
SHA1
7f7926063a828b190cf41b4043007f561e3565d0
-
SHA256
5356e532f3ed20944de09a0f02455093de8ea6ac8318411affbf86a02885d270
-
SHA512
9284f686d392b47dcfbc4825b25e8551083db92d7db300b4c4af030672c39a413f05ca9ee851828d86b4e7eb8da167264d94b979aaf217a2ff1ca4ee7e0c3a30
-
SSDEEP
3072:sOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:sIs9OKofHfHTXQLzgvnzHPowYbvrjD/E
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000023b99-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2708 ctfmen.exe 1472 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 3964 c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe 1472 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\shervans.dll c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe File created C:\Windows\SysWOW64\grcopy.dll c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe File created C:\Windows\SysWOW64\satornas.dll c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\satornas.dll c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\shervans.dll c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe File created C:\Windows\SysWOW64\smnss.exe c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\af.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2212 1472 WerFault.exe 93 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1472 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3964 wrote to memory of 2708 3964 c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe 92 PID 3964 wrote to memory of 2708 3964 c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe 92 PID 3964 wrote to memory of 2708 3964 c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe 92 PID 2708 wrote to memory of 1472 2708 ctfmen.exe 93 PID 2708 wrote to memory of 1472 2708 ctfmen.exe 93 PID 2708 wrote to memory of 1472 2708 ctfmen.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 13204⤵
- Program crash
PID:2212
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1472 -ip 14721⤵PID:4652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD580e3b3d423fc43e025e650aefcf631c4
SHA1b3ac3e57077ab09dd06e5f456ed94a028266ddbc
SHA2567869a9dcb8aeb9525a6e6b24d9b31b85a4c68e75519c8426bf03f8fd01f49573
SHA512a30502780e0db3ebe245a76afde9c2b97fe7b3013039fa167d19696d242b81e01be758880e8a0aca8d97e00f82b6d9517e9c6cd19b1688714ca0d40e36c5422c
-
Filesize
119KB
MD5c78d9f96cca4903677f7eccddb328dc1
SHA15deb3605d077c16d639f5e5747a60251b2948f7b
SHA2565429b279e883f6ec8fb55dbabc674c33ca34a642fb9fca8ed1f28bd42140b9a2
SHA512fc8df255e778430c3fa0d7170a7e2f7359561c6def74f9fc9b151709e600edf7b81f759a56ac1b22868175c6c26eff916459809252afd04dad69fc9bcac77eff
-
Filesize
183B
MD5895ba7da7163a14ee38bc99b3df80e1d
SHA1911fee657d9bef87cc7aa4905bf187c4a44aa7b2
SHA256b1ccad39410ac2c6d86717bd7738d8adce9d5a25d4cf1c722098be1a9f42a660
SHA51247b7f4ee471c0785c1afb5f25afd4efa052cb0ae7d12cc813de4d53a1cb16125c3c747ca5fe8344c01cff30114be47a8bc8f45b6d4683744fc10f62e7fbca547
-
Filesize
8KB
MD543ad5846043be4d3b15e6c10a33928bd
SHA148734e237a64d5e7e0ecf2e43545e2a3ec276990
SHA2569d0c37398e59e482a8cb9561d7b3c482ffe92f37f385c0019a3338043a48fe12
SHA512dbb0aee0acab8a389442eb60233ccfeb4850d58324586b0eb510beb178c8212e7137456bc25c1012eb351a388f672b4101077fe63e7070e7acc0a7359ca7b0c5