Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 02:37
Behavioral task
behavioral1
Sample
d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe
-
Size
178KB
-
MD5
d18c14e521f61cfee9e4f39a7a779c00
-
SHA1
4c60afcdaad50c1389ea65579802fd0ed521be51
-
SHA256
99d70bd519fd63196ff7f1687513b2229e2ced9c2b71fee83362b2e8ec9210e1
-
SHA512
c527305cf58bb929f2d41b7c6360dba37829a4c26247ecf27c08729fcd79044b1b08a97a0cf8d89901fecd1f3569aef44c63158b9c7ba247d024b2cb595de3ee
-
SSDEEP
3072:+Yubs4vIPfIOKyCRfyJiJJMXybJg30TZZ+MbpqdNjfBDckH8sbigzwQj1j:Puk6fK6tixMbwNL+kDrV
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x0036000000016c67-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2124 banehvg.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\banehvg.exe d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe File created C:\PROGRA~3\Mozilla\xwmsnym.dll banehvg.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2368 d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe 2124 banehvg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2124 2064 taskeng.exe 29 PID 2064 wrote to memory of 2124 2064 taskeng.exe 29 PID 2064 wrote to memory of 2124 2064 taskeng.exe 29 PID 2064 wrote to memory of 2124 2064 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2368
-
C:\Windows\system32\taskeng.exetaskeng.exe {4022E54A-26B9-4B74-916D-1287A77FD44F} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\PROGRA~3\Mozilla\banehvg.exeC:\PROGRA~3\Mozilla\banehvg.exe -tlnruii2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2124
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178KB
MD582bffc026c3bb741726f1064337f9d7d
SHA1691e2d974524448130432302d12b7f81f08eb2c2
SHA256e1d2d5211d9bc85886ac24accb721068345d6a2579cc4e5e98397316d43da89d
SHA512848eb55020fb92115b601206e35400df9e6c08819ddb1dfd6ca1abf4672ed18907aac70b70b55164ccd11660cc5f722a37f9593025adb946be0f515b6ea1a084