Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 01:50
Behavioral task
behavioral1
Sample
c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe
-
Size
204KB
-
MD5
c50e1fae2032a895de7622eed4d3bb10
-
SHA1
48e3d581eeecc5cb46f681c16fc7200ec343ceac
-
SHA256
a441982cf9d2fb555a97c2d7b3a240b4d30ff5ec4653c8e493515fd04e1030f7
-
SHA512
86057ca7c5cd75368c5bbd22170cfc66f37446fd39e8ba1dd42170e6245662204073b4a408b68fd53d06d73af7dbda0d11d3a7d7e2473b67687dd8b9fec0bc0e
-
SSDEEP
6144:y8LuYnRrkkz2I7qWZIO1EWln3kLGqpX0d:1LuY2Uv7qWL1j6X0d
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x003600000001654a-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 1964 racmzae.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\racmzae.exe c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe File created C:\PROGRA~3\Mozilla\ttbtowf.dll racmzae.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2804 c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe 1964 racmzae.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1964 3004 taskeng.exe 29 PID 3004 wrote to memory of 1964 3004 taskeng.exe 29 PID 3004 wrote to memory of 1964 3004 taskeng.exe 29 PID 3004 wrote to memory of 1964 3004 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2804
-
C:\Windows\system32\taskeng.exetaskeng.exe {AB338840-9FC1-4D20-A300-8F8D454CA16A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\PROGRA~3\Mozilla\racmzae.exeC:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5c5e7c6fb4e7888a41fd9b2e230c099b1
SHA145e721d662ee922cbf0c5d8258734972b3465fbf
SHA25696a0f4ab3a13fe8f7a78124213ffb21cb20f0eab7c6e682223b053c2da31e801
SHA51257801edc46f7af6125450b92ba0367c777e7cd9ee404b193c89c38c79772ebee7644625a0c578f068adf0892289858de9ec9faed8c9ba802bf36ecb1c549bbc1