Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 14:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe
Resource
win7-20240419-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe
-
Size
73KB
-
MD5
d9f6cc1f329247ba47b601152682dbe0
-
SHA1
b43c68565a8e17ab1acf1cb85a985308ac7ac0a8
-
SHA256
982d91aff28460297d85466216fd4daff735983889b04abf570eca4fc751d406
-
SHA512
e316f1fa447bd34b5719c15e5c01e12c2fb9e08ba7a9f93e8634ec2a71934d0a9bc3c77140d4a96700ef076813e375cf730b4b3b52422b7b1f578d7f56fa48c7
-
SSDEEP
1536:xhyzSbfyFejaeYfP9u8K7Jh0yM16y7Y9sph:VbfoemeYdu8A0yM16ysSr
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ouvgooxub-ameas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ouvgooxub-ameas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ouvgooxub-ameas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ouvgooxub-ameas.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534E4656-4751-4c55-534E-465647514c55}\IsInstalled = "1" ouvgooxub-ameas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534E4656-4751-4c55-534E-465647514c55}\StubPath = "C:\\Windows\\system32\\enbomam-uded.exe" ouvgooxub-ameas.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534E4656-4751-4c55-534E-465647514c55} ouvgooxub-ameas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{534E4656-4751-4c55-534E-465647514c55}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ouvgooxub-ameas.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ouvgooxub-ameas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ouvgooxub-ameas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\bkacut.exe" ouvgooxub-ameas.exe -
Executes dropped EXE 2 IoCs
pid Process 1508 ouvgooxub-ameas.exe 3812 ouvgooxub-ameas.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ouvgooxub-ameas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ouvgooxub-ameas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ouvgooxub-ameas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ouvgooxub-ameas.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ouvgooxub-ameas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ouvgooxub-ameas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ardoapoat.dll" ouvgooxub-ameas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ouvgooxub-ameas.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ouvgooxub-ameas.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ardoapoat.dll ouvgooxub-ameas.exe File opened for modification C:\Windows\SysWOW64\ouvgooxub-ameas.exe d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe File created C:\Windows\SysWOW64\ouvgooxub-ameas.exe d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\bkacut.exe ouvgooxub-ameas.exe File created C:\Windows\SysWOW64\bkacut.exe ouvgooxub-ameas.exe File opened for modification C:\Windows\SysWOW64\enbomam-uded.exe ouvgooxub-ameas.exe File created C:\Windows\SysWOW64\enbomam-uded.exe ouvgooxub-ameas.exe File created C:\Windows\SysWOW64\ardoapoat.dll ouvgooxub-ameas.exe File opened for modification C:\Windows\SysWOW64\ouvgooxub-ameas.exe ouvgooxub-ameas.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 3812 ouvgooxub-ameas.exe 3812 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe 1508 ouvgooxub-ameas.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1508 ouvgooxub-ameas.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 1508 1608 d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe 79 PID 1608 wrote to memory of 1508 1608 d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe 79 PID 1608 wrote to memory of 1508 1608 d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe 79 PID 1508 wrote to memory of 3812 1508 ouvgooxub-ameas.exe 80 PID 1508 wrote to memory of 3812 1508 ouvgooxub-ameas.exe 80 PID 1508 wrote to memory of 3812 1508 ouvgooxub-ameas.exe 80 PID 1508 wrote to memory of 616 1508 ouvgooxub-ameas.exe 5 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56 PID 1508 wrote to memory of 3536 1508 ouvgooxub-ameas.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\d9f6cc1f329247ba47b601152682dbe0_NEIKI.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\ouvgooxub-ameas.exe"C:\Windows\SysWOW64\ouvgooxub-ameas.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\ouvgooxub-ameas.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3812
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
74KB
MD53abcee4c3d8420f6d7778d93c7d232ad
SHA13e6acac071167d6bcd5db60cd2b89923bef953e9
SHA2560a8961057c246a5330db810fb13279d77473e95fbe35ee6cea1683dcac67179c
SHA512887f08ac0b813d74151d39c2138c17e256e200a6d4f8bfe97a1d5eebd9b1488100312f9b53a185a0d441951da5fedaeda8fc98a49ae04430187fb99e030a83e8
-
Filesize
73KB
MD5368db358de41f06a33ae8cf9d3d845eb
SHA109f19f4adbdfb6a640d01e5092bebb86137e9903
SHA256bd4a18e8195e2c681a760de1e29e9d8e378119007f4d77b04dd6acf769518028
SHA51289023639ea2cfea24c08ab2d31226d56ffe1ff853b27024515b72225f238851433b2e758f26c96eb593121943da39e649f255972d74f85d5df5653deb258a077
-
Filesize
71KB
MD5c402bfee0f875a3e934866a809a99147
SHA141c297d90b227ceeb3293a95143e909dafd1bf2d
SHA25631b6352c136a8925743991109b0960ac2ccdd0ae831a3daf597a3f6b76d1928b
SHA5123c01214c9ebc17eef9d9a12679bcef4d5f263c29e8383560ebc8911921f7b6b9ea4f5b4669252d444ad74b345510079100732c097c47bf45f423ffdce4700038