Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    09/05/2024, 08:13

General

  • Target

    0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe

  • Size

    120KB

  • MD5

    0029a4d756eb4f0126fb7f1b7b1dbce0

  • SHA1

    9ca6e91913e6b84dcf0f8c4e9aba01e0a3674b1a

  • SHA256

    3659c82b50bdc329cee38060a50eeb74f74f302b14a788b3757607791fc43f63

  • SHA512

    2e664ba816a113ad098be5e103f88439e6114f558c0adebd0fdb030d7952d0a8d51b26bd1412d2c3b3d9eae1d4187b2d789f19623824d0e59bcb387be284e439

  • SSDEEP

    3072:tOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:tIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\0029a4d756eb4f0126fb7f1b7b1dbce0_NEIKI.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 836
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    908728ac6af3082844f78db3922c3414

    SHA1

    e462b3e6b31b7ae81144c8fc974ed8ec88b21d46

    SHA256

    373b3454c075e435fb3498d268afd8da27eece8c183736719ec844f65cf5b9ae

    SHA512

    6697d9879500660b7af4156b761fde1baf253b6e225bc7463ce815a7e780481a27dd20e2ad0962e19fc23f1ec0406f2ecd8905c419e30344283344dccec0c15a

  • C:\Windows\SysWOW64\smnss.exe

    Filesize

    120KB

    MD5

    3c7cb40cdb7c3d58099de4d1bcc99e5b

    SHA1

    895af80f380197ca8db009ce60afd60f47847520

    SHA256

    f064ddb60c139c59239a689684be1df6d2119dcf0f97f1a3ff458e915706e40a

    SHA512

    4d35a6c249b343316fb3acdb9279202a82da1c1035fc2096c30ec62221330a313be4de31d10a35698c79b7eafaddc1a627f34cbc9f95c7984384fed7fa2fd4f7

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    37eec508c1316a1df18a827fcf57c421

    SHA1

    9ccfe64b18c09fd8ee52c7585f3c5e9233422276

    SHA256

    68b5c6ea0fc554bce3dba36c7406070b3fe28619d95e8a47954c38e2e1c80f96

    SHA512

    3775d1e430dcff8b980eba64309c2e839a74c4e00b931c8b918d815d43f0154ea9483dc8a352c429409d719eb1b6d379cb9ef3cd142a64732f3ff7e71fea2adb

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    43cfac2e9b8cbb289bfd363dc9722993

    SHA1

    21f763df87a8848ea793b5dde74045080b6d097c

    SHA256

    44b18f01f122203a0e2a6589ca50006472d9bed2dd52a9041dabe88c34cf020b

    SHA512

    fd378eac330d3817372c6ef7db36719cda39fe2ee48b7cf204ed8e8dd42d729677d1cdbbfb9b4d927ffb8fc433b4e58ebfc249cb4b8afb8d39ff0245f78ecea8

  • memory/1304-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/1304-18-0x0000000000320000-0x0000000000329000-memory.dmp

    Filesize

    36KB

  • memory/1304-16-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1304-29-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/1304-28-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/1440-25-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2144-34-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2144-41-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2144-47-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB