Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 14:30

General

  • Target

    d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe

  • Size

    73KB

  • MD5

    d9f6cc1f329247ba47b601152682dbe0

  • SHA1

    b43c68565a8e17ab1acf1cb85a985308ac7ac0a8

  • SHA256

    982d91aff28460297d85466216fd4daff735983889b04abf570eca4fc751d406

  • SHA512

    e316f1fa447bd34b5719c15e5c01e12c2fb9e08ba7a9f93e8634ec2a71934d0a9bc3c77140d4a96700ef076813e375cf730b4b3b52422b7b1f578d7f56fa48c7

  • SSDEEP

    1536:xhyzSbfyFejaeYfP9u8K7Jh0yM16y7Y9sph:VbfoemeYdu8A0yM16ysSr

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1228
        • C:\Users\Admin\AppData\Local\Temp\d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe
          "C:\Users\Admin\AppData\Local\Temp\d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\SysWOW64\ouvgooxub-ameas.exe
            "C:\Windows\SysWOW64\ouvgooxub-ameas.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1784
            • C:\Windows\SysWOW64\ouvgooxub-ameas.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2808

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\ardoapoat.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\bkacut.exe

        Filesize

        74KB

        MD5

        b1fa3ef216e4dcccd45482e781b19dd2

        SHA1

        d6504441f0d33dfff83b54ac580a27c91f0f71d5

        SHA256

        4e3524cd4c0184d4615356bf86a9b417c6c15b0e6d8a4cd3227114d3bee74e84

        SHA512

        080729d14be62286e8fd21a6a9194beb1faee494933efb710af3dfe319aefcc015d6c104b5d34d9f087163dca966b130bb42d5f72a0785f3c0e573d966fcb8c4

      • C:\Windows\SysWOW64\enbomam-uded.exe

        Filesize

        73KB

        MD5

        a036db1d7d133db0dd4c790c65b18c5c

        SHA1

        8e7d259cc1bb2d1aa0d70e70fc497365a14a936d

        SHA256

        88842d151391a22cc885973cfa7e7f3f26a12d2649620238bffcb1a6e5c13dd4

        SHA512

        0e4594105e75e447c40c0ef8bdad7cd6fb9ed501a7c985b02547e28dde47c1f9e406a3967578b9e415c10acb96dfed44c4fae8744183c27df6e566a5ca8b03d8

      • \Windows\SysWOW64\ouvgooxub-ameas.exe

        Filesize

        71KB

        MD5

        c402bfee0f875a3e934866a809a99147

        SHA1

        41c297d90b227ceeb3293a95143e909dafd1bf2d

        SHA256

        31b6352c136a8925743991109b0960ac2ccdd0ae831a3daf597a3f6b76d1928b

        SHA512

        3c01214c9ebc17eef9d9a12679bcef4d5f263c29e8383560ebc8911921f7b6b9ea4f5b4669252d444ad74b345510079100732c097c47bf45f423ffdce4700038

      • memory/1784-53-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/2444-7-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

      • memory/2808-54-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB