Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 13:31

General

  • Target

    c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe

  • Size

    119KB

  • MD5

    c61e7d61a2d3fb46d53cf8395043b4d0

  • SHA1

    7f7926063a828b190cf41b4043007f561e3565d0

  • SHA256

    5356e532f3ed20944de09a0f02455093de8ea6ac8318411affbf86a02885d270

  • SHA512

    9284f686d392b47dcfbc4825b25e8551083db92d7db300b4c4af030672c39a413f05ca9ee851828d86b4e7eb8da167264d94b979aaf217a2ff1ca4ee7e0c3a30

  • SSDEEP

    3072:sOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:sIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\c61e7d61a2d3fb46d53cf8395043b4d0_NEIKI.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1472
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 1320
          4⤵
          • Program crash
          PID:2212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1472 -ip 1472
    1⤵
      PID:4652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe

      Filesize

      4KB

      MD5

      80e3b3d423fc43e025e650aefcf631c4

      SHA1

      b3ac3e57077ab09dd06e5f456ed94a028266ddbc

      SHA256

      7869a9dcb8aeb9525a6e6b24d9b31b85a4c68e75519c8426bf03f8fd01f49573

      SHA512

      a30502780e0db3ebe245a76afde9c2b97fe7b3013039fa167d19696d242b81e01be758880e8a0aca8d97e00f82b6d9517e9c6cd19b1688714ca0d40e36c5422c

    • C:\Windows\SysWOW64\grcopy.dll

      Filesize

      119KB

      MD5

      c78d9f96cca4903677f7eccddb328dc1

      SHA1

      5deb3605d077c16d639f5e5747a60251b2948f7b

      SHA256

      5429b279e883f6ec8fb55dbabc674c33ca34a642fb9fca8ed1f28bd42140b9a2

      SHA512

      fc8df255e778430c3fa0d7170a7e2f7359561c6def74f9fc9b151709e600edf7b81f759a56ac1b22868175c6c26eff916459809252afd04dad69fc9bcac77eff

    • C:\Windows\SysWOW64\satornas.dll

      Filesize

      183B

      MD5

      895ba7da7163a14ee38bc99b3df80e1d

      SHA1

      911fee657d9bef87cc7aa4905bf187c4a44aa7b2

      SHA256

      b1ccad39410ac2c6d86717bd7738d8adce9d5a25d4cf1c722098be1a9f42a660

      SHA512

      47b7f4ee471c0785c1afb5f25afd4efa052cb0ae7d12cc813de4d53a1cb16125c3c747ca5fe8344c01cff30114be47a8bc8f45b6d4683744fc10f62e7fbca547

    • C:\Windows\SysWOW64\shervans.dll

      Filesize

      8KB

      MD5

      43ad5846043be4d3b15e6c10a33928bd

      SHA1

      48734e237a64d5e7e0ecf2e43545e2a3ec276990

      SHA256

      9d0c37398e59e482a8cb9561d7b3c482ffe92f37f385c0019a3338043a48fe12

      SHA512

      dbb0aee0acab8a389442eb60233ccfeb4850d58324586b0eb510beb178c8212e7137456bc25c1012eb351a388f672b4101077fe63e7070e7acc0a7359ca7b0c5

    • memory/1472-31-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/1472-40-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/1472-38-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/2708-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/2708-29-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/3964-22-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/3964-0-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/3964-24-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/3964-18-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB