Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 00:09
Behavioral task
behavioral1
Sample
a79c48cf06445940266124a7558aebf0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a79c48cf06445940266124a7558aebf0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
a79c48cf06445940266124a7558aebf0_NEIKI.exe
-
Size
156KB
-
MD5
a79c48cf06445940266124a7558aebf0
-
SHA1
6aa4b463ba231debb37f4816b974d7fb0d192d53
-
SHA256
3bf266d062a52d012d498077f33aa7aa324f70535552979d23b8c730b382f30d
-
SHA512
238ac1f46e808bb2c8f0e90221c7e3803fa5d11e99aba586c4952d35084f1255ceb1b079285ff2ff5526bb9e3b2c6454a4b41ec2d359139622ab20efe1817f1f
-
SSDEEP
3072:1QmK6GEvn9Oa2tr2Y+Lysughilfzc1DZDXdns0blS8iVBXdqTEk05:SmKZG9q2RmCakNi0bvGXdqA
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x002e000000014698-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2516 tbckyxk.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\tbckyxk.exe a79c48cf06445940266124a7558aebf0_NEIKI.exe File created C:\PROGRA~3\Mozilla\newtrln.dll tbckyxk.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2380 a79c48cf06445940266124a7558aebf0_NEIKI.exe 2516 tbckyxk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2516 2700 taskeng.exe 29 PID 2700 wrote to memory of 2516 2700 taskeng.exe 29 PID 2700 wrote to memory of 2516 2700 taskeng.exe 29 PID 2700 wrote to memory of 2516 2700 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a79c48cf06445940266124a7558aebf0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\a79c48cf06445940266124a7558aebf0_NEIKI.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2380
-
C:\Windows\system32\taskeng.exetaskeng.exe {D04852F5-92CE-4E13-BC3A-1C63E19CAD1F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\PROGRA~3\Mozilla\tbckyxk.exeC:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5ed48350dc6067e659f6e14177e13736c
SHA1c5ea6c1d0ad998ba8290f00f2cf81ade9339b4f9
SHA25627a45e990683b6fd1357a666a168ddcdd5ad24cae307cc1585185e84ddb8131e
SHA512ea4b12c926b97ba81fca94ed5aaa6887e34405106e930fe7b7d1aa996a45166cd59860ee38475550f41039eb4f6a141e8b2fba421bd37ed2bd41abe1425ab9e1