Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 01:00
Behavioral task
behavioral1
Sample
b57898828a606cbd0805e0b1026f3360_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b57898828a606cbd0805e0b1026f3360_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
b57898828a606cbd0805e0b1026f3360_NEIKI.exe
-
Size
139KB
-
MD5
b57898828a606cbd0805e0b1026f3360
-
SHA1
856385996fa8c6d7f609dfbcfb991b8104cdc154
-
SHA256
8064c8cd692c06380045502805adab88ddce583e0780d537d6d5051cf1eb9a01
-
SHA512
2231eeb4da659810647d499a153e90da69e5b744ce5b3078e757c67d5046bbe97bb6b668080aa8c1c6e603e57aedc67d68950e191527e6b50143dcac6b280809
-
SSDEEP
3072:ri0FEplmmNJ/CHd6bOjU2GNUWdyeERIdbpI:lEr7J6rQ1NUWdyDR/
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x0039000000016255-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3020 gugcane.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\gugcane.exe b57898828a606cbd0805e0b1026f3360_NEIKI.exe File created C:\PROGRA~3\Mozilla\zynbtfl.dll gugcane.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2020 b57898828a606cbd0805e0b1026f3360_NEIKI.exe 3020 gugcane.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2180 wrote to memory of 3020 2180 taskeng.exe 29 PID 2180 wrote to memory of 3020 2180 taskeng.exe 29 PID 2180 wrote to memory of 3020 2180 taskeng.exe 29 PID 2180 wrote to memory of 3020 2180 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b57898828a606cbd0805e0b1026f3360_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\b57898828a606cbd0805e0b1026f3360_NEIKI.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2020
-
C:\Windows\system32\taskeng.exetaskeng.exe {2C2CB377-C35C-49F1-9C99-5A0359C35C8D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\PROGRA~3\Mozilla\gugcane.exeC:\PROGRA~3\Mozilla\gugcane.exe -eoikpie2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5c3e0f38b303ad73cd06e4670e8f20c21
SHA1e1f9753a6f101997e645c427f25aa8af115abee4
SHA2564ff32ae4f8f4b1d02a394b05e465aae2f84ec906589aa21e57885b698b55d826
SHA5123d06c42c0e84241e432ac2ee23a7e2e69e434ca260c16771dd89c11368560e75b7172ce4d4a738b7a0ed3cb3cd86e2ca11a965ed1a8ffc4641cf083bcf147c07