Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 21:12
Static task
static1
Behavioral task
behavioral1
Sample
5646807a031eaa6ccccc05d86a7f7b90_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5646807a031eaa6ccccc05d86a7f7b90_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
5646807a031eaa6ccccc05d86a7f7b90_NEIKI.exe
-
Size
364KB
-
MD5
5646807a031eaa6ccccc05d86a7f7b90
-
SHA1
13fcd14d37edf4c20d9582d5d55a33010a1a9251
-
SHA256
e27fbea020f84bb3c0102e3e3eff8eb3ff77596d85d3caa3ed12962661d3d6cc
-
SHA512
c8d2623f9e4b34b04fe649922f66fc7369cae9899b4f25f4882455bd7c3f4955e08594022eada9c24bb7472a1d8623dcaf915c22d2b8d77f5dd3cdb647a2fb88
-
SSDEEP
3072:J/yXvD2enVN5UkLPp1f5mbUM96Zvx+UZkxvU84xUa4bjRTItEcmHj:J/yfD2Apf04GuvIUZeqJ2jydmHj
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2808 dbilzqh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\dbilzqh.exe 5646807a031eaa6ccccc05d86a7f7b90_NEIKI.exe File created C:\PROGRA~3\Mozilla\zxoabnc.dll dbilzqh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2868 5646807a031eaa6ccccc05d86a7f7b90_NEIKI.exe 2808 dbilzqh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2808 2344 taskeng.exe 29 PID 2344 wrote to memory of 2808 2344 taskeng.exe 29 PID 2344 wrote to memory of 2808 2344 taskeng.exe 29 PID 2344 wrote to memory of 2808 2344 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5646807a031eaa6ccccc05d86a7f7b90_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\5646807a031eaa6ccccc05d86a7f7b90_NEIKI.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2868
-
C:\Windows\system32\taskeng.exetaskeng.exe {73E7A09F-8590-4950-9A70-65B585CBB836} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\PROGRA~3\Mozilla\dbilzqh.exeC:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364KB
MD506e41a94a7d97e70ed4a2db98ea2a667
SHA1f8d6ad2ae0db3cdb4c4d959e5b0eb0442d6a7d85
SHA256bed91e0316b0819a24c02d2bf86adca150301c5160c885ba2f878750ff289a66
SHA51237608f806f19b8384764022eeb78ea8dd73cb238dfa2820ad8068d4903cb3309ee0460d8575074daa7ace8238120df5dfa2484ed9eb8fac194020c89d5749884