Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

a5dd2daa66...KI.exe

windows7-x64

10

a5dd2daa66...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5dd2daa6666502240d5a7bb0d6611b0_NEIKI.exe

  • Size

    19KB

  • MD5

    a5dd2daa6666502240d5a7bb0d6611b0

  • SHA1

    2df076f3411d8745a19ce00bdea81fd62894e677

  • SHA256

    7d8624ed52ffd3b85da670994bfaefded16c7849ce5935f4a912c06fc769aa05

  • SHA512

    de3350a6ccbe5a38795b63e50d4146e25aec8de9fb668d23d3a1884c0514bcfe2d3a27a9363892d2c8b8ac42d7001f609ae7e4f501122764fd3246aced4c9012

  • SSDEEP

    384:UBWoC5GDr6wc/w3HgM6vDUTAXBGCVf4WVlFvX+fauB:rRkiLw3HsDSARGG/uv

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:620
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3556
        • C:\Users\Admin\AppData\Local\Temp\a5dd2daa6666502240d5a7bb0d6611b0_NEIKI.exe
          "C:\Users\Admin\AppData\Local\Temp\a5dd2daa6666502240d5a7bb0d6611b0_NEIKI.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3820
          • C:\Windows\SysWOW64\rmass.exe
            "C:\Windows\system32\rmass.exe"
            3⤵
            • Windows security bypass
            • Drops file in Drivers directory
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1256
            • C:\Windows\SysWOW64\rmass.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3420

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        21KB

        MD5

        fdb3302732bea53708111b958375317d

        SHA1

        f8c1ee820af7b77859c93344bc2ea33f3aecb15b

        SHA256

        0c5075f6d9eef691851cc8bf598525be8e0ffac5cb097b0435f49c8867f65f9b

        SHA512

        d74b188bb9e4e9b51450794a3965db09c981071d76f469de949ed36cfac5fea4b1b5fdbda22276a34f89c1cc07301b9f67a65d2d6f24fdaaaa6f87e98f57f115

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        22KB

        MD5

        bdcbcbcd475c46ab8eef6b2b62ea3a8e

        SHA1

        d069d5e1c8ce848df82e856e8381183f2b8aabd8

        SHA256

        93f2de04a49df40defd7c1787ec42d68b4b0a1a5438a7433d322c0281f6d6346

        SHA512

        48680654026f6c4d45f238d26e8de397a0cc2a461a0083fbd077bc2722d7a84a065ac9c183c64c206d0c5e03c77c555820c9c5b531b99ef54fb45c29d895417b

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        a5dd2daa6666502240d5a7bb0d6611b0

        SHA1

        2df076f3411d8745a19ce00bdea81fd62894e677

        SHA256

        7d8624ed52ffd3b85da670994bfaefded16c7849ce5935f4a912c06fc769aa05

        SHA512

        de3350a6ccbe5a38795b63e50d4146e25aec8de9fb668d23d3a1884c0514bcfe2d3a27a9363892d2c8b8ac42d7001f609ae7e4f501122764fd3246aced4c9012

        Download Submit

      • C:\Windows\System32\drivers\etc\hosts
        Filesize

        1KB

        MD5

        6f47b62de25d1745e296a06b3f98ed19

        SHA1

        a688bb35a4c8a5cc198985d624a1b5a6ac5b9f6f

        SHA256

        15c7218eb9cef5fa0573db657b15ce3a5f0e0609f1166df8098ca7152df505b4

        SHA512

        dea26fff8060f44bf20fe4fff2ecbacf428727f10c0f5886fb4813e28fce9cbc3d088337c84edd9857b18514c83f1bb1cf0f51518aaecef09f30e921f4d758d7

        Download Submit

      • memory/1256-13-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1256-53-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3420-19-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3820-0-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3820-12-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download