Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 21:42

General

  • Target

    0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe

  • Size

    75KB

  • MD5

    0580e3a0d0b88d30e2e9a6c5e35a7ef0

  • SHA1

    dfaf39964055ad2a918d8cc7bdd0db25a2bc8c1e

  • SHA256

    44f48a4b415a5b4f287e3eb72524a8585aa425cb6fb644f6e2463f4821a3959c

  • SHA512

    1440335f35bf2fa934b60f2009c514544e66a387f8473f6fbc452ec47a78dd36a86acf36bb1acd422812ec8ea208359544ff453b6235fc1c51295ae26ff0714b

  • SSDEEP

    1536:8x1Qja7luy6y0s4sqfkbnAKBOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3v:0OjWuyt0ZsqsXOKofHfHTXQLzgvnzHP3

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0580e3a0d0b88d30e2e9a6c5e35a7ef0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:876
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1488
          4⤵
          • Program crash
          PID:4900
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 876 -ip 876
    1⤵
      PID:956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe

      Filesize

      4KB

      MD5

      65e22c0d8fd9760821db7324b3d73210

      SHA1

      29b8afeaf83063720df566c3247564f2c42a7757

      SHA256

      f1fa60a3d7ac1ff0ffb2561cc68e7b888bcde03875b2db97b88899ece9af1c85

      SHA512

      9e069da63746cfbc5affd472a5186609ce6e3e7a4410e468f364a6496c10bd8dc558a87bd95d8df1d41fda256c6bdb2668c9b137558e845e23f26d9be896d1fd

    • C:\Windows\SysWOW64\grcopy.dll

      Filesize

      75KB

      MD5

      0bf52c1e641a27a85609f5d689a0716b

      SHA1

      53a43411046c967b00105d0d45c69dd0ba8db2cc

      SHA256

      293352d5de10b5bd7ec51eee75173113f76617cd86c5a0310c361e8d49184571

      SHA512

      a9955b0e00d1079ca26ecf1b9f2ecfedb4b90e6d1bdba007c68e3890e8107a411d9c83966a46b718792a1b4855dbbd6ab6c530caa70475921dc4dc0c65a671e8

    • C:\Windows\SysWOW64\satornas.dll

      Filesize

      183B

      MD5

      8477dcd8766efb086886f1ac87a40ee6

      SHA1

      34a979ce520dba8f5f9f8cb5ad9430a79461f88f

      SHA256

      521d8669c0f9794f56f0eba1dcaf1e7a24518ac06719117b00b8bbf0c17419e5

      SHA512

      4024a4be55d54c9d9215f71a48696a2679979a4b0ff7f223e6d35069d8608a4f70811317e9b7ab3dd9160d4bbe29d8ee5077edafbeaadcc777ba3acc2492b80e

    • C:\Windows\SysWOW64\shervans.dll

      Filesize

      8KB

      MD5

      3f01867e1e6641f093dd53b530cc4b42

      SHA1

      23bd7ad08a1c1b0c044e031c92128042f86d4e6d

      SHA256

      f3a35289931d4e45483e48ef317908b72794c74270f21d53132407746115fda8

      SHA512

      e62715bddd27a0a4b45af9df6b2e34dd9803822d1709e5e1ea34b5224b7976db6b6d10c6525c398ab2dcae3fee5e04fcbbdcbad1fccbc7abf358d5096daab67f

    • memory/876-35-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/876-36-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

    • memory/1356-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/3432-17-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/3432-23-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/3432-20-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB