Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 15:47

General

  • Target

    f633ffcf8d07f4e170810114275267f0_NEIKI.exe

  • Size

    61KB

  • MD5

    f633ffcf8d07f4e170810114275267f0

  • SHA1

    df131ed9140ae9a23aaea24931907e9a49a0ac0e

  • SHA256

    d0689a3de1e1a400981c5d95ac46a1c6e33661e84a622c321cae415236151939

  • SHA512

    cba58624714683094d8d9b13a2703b33732143c6c6d5b31904b8aea77e3b81279c997b8bf2c2ae70f716d47a002847b0c08b7a8eb2a0e43282a4f25b48eaf998

  • SSDEEP

    1536:Ottdse4OcUmWQIvEPZo6E5sEFd29NQgA2wwle5:Wdse4OlQZo6EKEFdGM21le5

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f633ffcf8d07f4e170810114275267f0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\f633ffcf8d07f4e170810114275267f0_NEIKI.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\SysWOW64\ewiuer2.exe
        C:\Windows\System32\ewiuer2.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3576
        • C:\Users\Admin\AppData\Roaming\ewiuer2.exe
          C:\Users\Admin\AppData\Roaming\ewiuer2.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3508
          • C:\Windows\SysWOW64\ewiuer2.exe
            C:\Windows\System32\ewiuer2.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4408
            • C:\Users\Admin\AppData\Roaming\ewiuer2.exe
              C:\Users\Admin\AppData\Roaming\ewiuer2.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Windows\SysWOW64\ewiuer2.exe
                C:\Windows\System32\ewiuer2.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3224
                • C:\Users\Admin\AppData\Roaming\ewiuer2.exe
                  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
                  8⤵
                  • Executes dropped EXE
                  PID:636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ewiuer2.exe

    Filesize

    61KB

    MD5

    7fb4dcd5f9d87a011f77880875d8ea40

    SHA1

    2977023181a814cb72f93e7f46b9751614c3fbd0

    SHA256

    42ef680b115eaa08c6cfca9f23d4eab523d4c09071909c0b07f5dfca1f361cea

    SHA512

    f47ef9b61d8e70d17d6feaed448abae164893d85bbee710a1466de1a39b9a3fe42664e1a152b3076816150d9b5b19bbad9f9b071fdc24cd3a4dfeda29106d27a

  • C:\Users\Admin\AppData\Roaming\ewiuer2.exe

    Filesize

    61KB

    MD5

    785fa679ba1e5f64fff2326ed37aca07

    SHA1

    a8084d41c08ab3aba11f14db3c7aa26c5db948c9

    SHA256

    a02a1ebd80f10ca78a70a09fb4f9980df406f1f6358acbb79826261811a16e44

    SHA512

    5e5f45049fbacbc37b6f8d19ea724ee2f47a83e5dee5ddf1688b952ed956b654e46d149414e283185fd6002975f8e53b1d4614913e4b37e5f4ece1841be04de7

  • C:\Users\Admin\AppData\Roaming\ewiuer2.exe

    Filesize

    61KB

    MD5

    db971480a8389911e20e833b725dcb17

    SHA1

    7fbf85b398dbf97293783355acd7228f087f9e88

    SHA256

    c905e24f449ec343f0279545850bb5bb4e711c1304b464af3bfe43a79cb93e1e

    SHA512

    d78372caf23e2b88fa536187b7b3ecca596aa26c0d5224885d943d9dd7bbf5f956f62ed8e284af841ccc7dd38ba4d6308218e28434b459e1bbc245f9bb1842c8

  • C:\Users\Admin\AppData\Roaming\ewiuer2.exe

    Filesize

    61KB

    MD5

    f4938b9add6741d5215116c2d49e453d

    SHA1

    f59ba1b6e5da1b4d9e7e4cc2a53c4f5f5cc84eba

    SHA256

    338e51c9d6d83fba88e614b00c8cfebcd0699f404134c37cfb3ce306aa83f162

    SHA512

    04059ded48469366cd2261d032e99694126caaad83417fdb786c76c7f58afccd750351f2f8f96dbadda2d2763cae8b77867781703541431004e28506102f5b8c

  • C:\Windows\SysWOW64\ewiuer2.exe

    Filesize

    61KB

    MD5

    72cea8fee3a5d2ebbfbdf0b1d5b53681

    SHA1

    bdc329ff6fcfd4480691318d1744997502d77988

    SHA256

    a959ceff45dbf66c9cbfe810f61c976448f876e8131d21fc576482f3db94387a

    SHA512

    0ffae24a34c8a181c34e24046aee2bc044389f7f5ceb4285c25c5f034d101aa9fb7a159b1915bc15d2eb8b5af2a6587805ca7ec23805a3c67b780b9997718f13

  • C:\Windows\SysWOW64\ewiuer2.exe

    Filesize

    61KB

    MD5

    be4b5c51c72404ffb5d04c9ae19378b5

    SHA1

    046075a59418a924672e012a4759625ef61ec12c

    SHA256

    8c383e6db93ac696e8076b2b2f091c7fea2c1169a95c2ff9af138854c3ebdef3

    SHA512

    022ffd1c85e606f5d2abd347f7ebe384219646bc706e20bce06a55ce94505b2174847437eeec4dbece5023be038f8e9dc4171dd46b9b2512904278958efae052

  • C:\Windows\SysWOW64\ewiuer2.exe

    Filesize

    61KB

    MD5

    dc8dfbc48719fc48cf2e0f58a51f2df2

    SHA1

    722461239e7800dbdb5f78766b49cfd5ae20fa9f

    SHA256

    e2ce129e9dede775fec96bd8fa8d8bac54e332c7dac103d36f42600f3dca2890

    SHA512

    f3afe449a9cc67ca9dfae5eac4a989a3d6abc8e108cfaccef7116afdd3b5a0e2d72613d6d6df2383626cc3ceb72a6007f8550bdf4d01c7d17819887c43bfa6f7