Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:36
Behavioral task
behavioral1
Sample
e104e723d4e09406858176885e43e0b0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e104e723d4e09406858176885e43e0b0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
e104e723d4e09406858176885e43e0b0_NEIKI.exe
-
Size
204KB
-
MD5
e104e723d4e09406858176885e43e0b0
-
SHA1
7e91e0dae6af46545e56c40a72362e4f2703f96a
-
SHA256
96d4c30ce6f5d463d5602a37ec87a3c018f5c15a478ce160bfe16a06f712a0f2
-
SHA512
d9d99a91fdf7a1ed1dc7bf00f8f26432869f2d8e03d2dae0513bc09fb26392e37ea04c99e8c82436429b87c163f86e6dd5815ee09fe8a8fac85f008f4b7e221c
-
SSDEEP
3072:mbMDF8hw0ZbtC2aoaHSKLd1ZWZCZDP+RBqqAXV1o9DhlYJRkgor3rSjGKWGqpqjL:m1hwCbtC2atYZC9aqJhJPor3RLGqpXq
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x002d000000014983-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2508 dbilzqh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\dbilzqh.exe e104e723d4e09406858176885e43e0b0_NEIKI.exe File created C:\PROGRA~3\Mozilla\zxoabnc.dll dbilzqh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1876 e104e723d4e09406858176885e43e0b0_NEIKI.exe 2508 dbilzqh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2508 2884 taskeng.exe 29 PID 2884 wrote to memory of 2508 2884 taskeng.exe 29 PID 2884 wrote to memory of 2508 2884 taskeng.exe 29 PID 2884 wrote to memory of 2508 2884 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e104e723d4e09406858176885e43e0b0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e104e723d4e09406858176885e43e0b0_NEIKI.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1876
-
C:\Windows\system32\taskeng.exetaskeng.exe {CFD4E13B-807C-434A-908C-1B56D665A89B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\PROGRA~3\Mozilla\dbilzqh.exeC:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5ca30871b67f0c7d779f3680bf5a52c0a
SHA184a6b084e97829b3350f20b4b548f2bf7283bffd
SHA25692e56462fcb6c6529987b736f30ebb9a159f8f17303b03374d4ef358048bf6ee
SHA5123cd347171cdc6f8521eaa5dcb6dd3925db4665ce001a8cb0c77ed859bf24f17f5c60c497f620ff631daa9a5aa6667c022b8059ffaa0b9d2652a17e88116f2f8b