Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 14:30

General

  • Target

    d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe

  • Size

    73KB

  • MD5

    d9f6cc1f329247ba47b601152682dbe0

  • SHA1

    b43c68565a8e17ab1acf1cb85a985308ac7ac0a8

  • SHA256

    982d91aff28460297d85466216fd4daff735983889b04abf570eca4fc751d406

  • SHA512

    e316f1fa447bd34b5719c15e5c01e12c2fb9e08ba7a9f93e8634ec2a71934d0a9bc3c77140d4a96700ef076813e375cf730b4b3b52422b7b1f578d7f56fa48c7

  • SSDEEP

    1536:xhyzSbfyFejaeYfP9u8K7Jh0yM16y7Y9sph:VbfoemeYdu8A0yM16ysSr

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3536
        • C:\Users\Admin\AppData\Local\Temp\d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe
          "C:\Users\Admin\AppData\Local\Temp\d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Windows\SysWOW64\ouvgooxub-ameas.exe
            "C:\Windows\SysWOW64\ouvgooxub-ameas.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1508
            • C:\Windows\SysWOW64\ouvgooxub-ameas.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\ardoapoat.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\bkacut.exe

        Filesize

        74KB

        MD5

        3abcee4c3d8420f6d7778d93c7d232ad

        SHA1

        3e6acac071167d6bcd5db60cd2b89923bef953e9

        SHA256

        0a8961057c246a5330db810fb13279d77473e95fbe35ee6cea1683dcac67179c

        SHA512

        887f08ac0b813d74151d39c2138c17e256e200a6d4f8bfe97a1d5eebd9b1488100312f9b53a185a0d441951da5fedaeda8fc98a49ae04430187fb99e030a83e8

      • C:\Windows\SysWOW64\enbomam-uded.exe

        Filesize

        73KB

        MD5

        368db358de41f06a33ae8cf9d3d845eb

        SHA1

        09f19f4adbdfb6a640d01e5092bebb86137e9903

        SHA256

        bd4a18e8195e2c681a760de1e29e9d8e378119007f4d77b04dd6acf769518028

        SHA512

        89023639ea2cfea24c08ab2d31226d56ffe1ff853b27024515b72225f238851433b2e758f26c96eb593121943da39e649f255972d74f85d5df5653deb258a077

      • C:\Windows\SysWOW64\ouvgooxub-ameas.exe

        Filesize

        71KB

        MD5

        c402bfee0f875a3e934866a809a99147

        SHA1

        41c297d90b227ceeb3293a95143e909dafd1bf2d

        SHA256

        31b6352c136a8925743991109b0960ac2ccdd0ae831a3daf597a3f6b76d1928b

        SHA512

        3c01214c9ebc17eef9d9a12679bcef4d5f263c29e8383560ebc8911921f7b6b9ea4f5b4669252d444ad74b345510079100732c097c47bf45f423ffdce4700038

      • memory/1508-47-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/1608-3-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

      • memory/3812-48-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB