Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 08:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0388d914c3e63c41b73d634a2510a250_NEIKI.exe
Resource
win7-20240508-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
0388d914c3e63c41b73d634a2510a250_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
0388d914c3e63c41b73d634a2510a250_NEIKI.exe
-
Size
119KB
-
MD5
0388d914c3e63c41b73d634a2510a250
-
SHA1
7358323fea8ff5237af2d26a2b8dc265e793255c
-
SHA256
55907f0cbaf84764fe97d1dcc9f3230c1572010e2f424eed6976fc85b6650359
-
SHA512
ea8f3d0f09d3bd14f7c3f249cf17df1061eb1081d0cfc53710f84d73e58f1528601da4dde95ab88556529013af6a240e21ddd209eb8ca656e4aec13816871173
-
SSDEEP
3072:lOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:lIs9OKofHfHTXQLzgvnzHPowYbvrjD/E
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00090000000233e8-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 1808 ctfmen.exe 3132 smnss.exe -
Loads dropped DLL 2 IoCs
pid Process 1848 0388d914c3e63c41b73d634a2510a250_NEIKI.exe 3132 smnss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 0388d914c3e63c41b73d634a2510a250_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0388d914c3e63c41b73d634a2510a250_NEIKI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 0388d914c3e63c41b73d634a2510a250_NEIKI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 0388d914c3e63c41b73d634a2510a250_NEIKI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\satornas.dll 0388d914c3e63c41b73d634a2510a250_NEIKI.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\shervans.dll 0388d914c3e63c41b73d634a2510a250_NEIKI.exe File created C:\Windows\SysWOW64\grcopy.dll 0388d914c3e63c41b73d634a2510a250_NEIKI.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 0388d914c3e63c41b73d634a2510a250_NEIKI.exe File created C:\Windows\SysWOW64\smnss.exe 0388d914c3e63c41b73d634a2510a250_NEIKI.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 0388d914c3e63c41b73d634a2510a250_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 0388d914c3e63c41b73d634a2510a250_NEIKI.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 0388d914c3e63c41b73d634a2510a250_NEIKI.exe File created C:\Windows\SysWOW64\satornas.dll 0388d914c3e63c41b73d634a2510a250_NEIKI.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml smnss.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\CheckpointFind.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt smnss.exe File opened for modification C:\Program Files\7-Zip\License.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1488 3132 WerFault.exe 87 -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 0388d914c3e63c41b73d634a2510a250_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 0388d914c3e63c41b73d634a2510a250_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 0388d914c3e63c41b73d634a2510a250_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 0388d914c3e63c41b73d634a2510a250_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 0388d914c3e63c41b73d634a2510a250_NEIKI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3132 smnss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1808 1848 0388d914c3e63c41b73d634a2510a250_NEIKI.exe 86 PID 1848 wrote to memory of 1808 1848 0388d914c3e63c41b73d634a2510a250_NEIKI.exe 86 PID 1848 wrote to memory of 1808 1848 0388d914c3e63c41b73d634a2510a250_NEIKI.exe 86 PID 1808 wrote to memory of 3132 1808 ctfmen.exe 87 PID 1808 wrote to memory of 3132 1808 ctfmen.exe 87 PID 1808 wrote to memory of 3132 1808 ctfmen.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0388d914c3e63c41b73d634a2510a250_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\0388d914c3e63c41b73d634a2510a250_NEIKI.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3132 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 13804⤵
- Program crash
PID:1488
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3132 -ip 31321⤵PID:3640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b82348b3bba70f9eceebc29fca7c95c6
SHA1541a45217a514393cd49c6f1a79f44c661be7b4a
SHA2568edc881d7ae81d17a7fcd27bb658383b45fe2cdcd0cdbe5256e1ded2f497d41d
SHA512da3287f6d89ff3e5ba7f8836eac7db6252fc93f9a0b29405f487b0bee407502f574b0f6657211041e435aa1bea8fb6f3968041a06620c28a384273f3a0949d52
-
Filesize
119KB
MD5e8c85f3f389c9c46d75ac8a6161823d6
SHA1a0b69153ac276777859daf390b6b6a6e2716aa13
SHA256c6ff547435c3cba861d6742843f1dbac44385790b8aa3bad8e6e98855ef2e5eb
SHA51209ce726ba46946050d9eeda3f6e8c1dff573bb7c1603b4367a6be6211a0f9932bc3993e51eccf4c0c5f67f8a9bbf6c823ef01a5d43a7040195e173b0fd5ba57a
-
Filesize
183B
MD5b3c24adf89d92c8653512df562268d9b
SHA1fb55787763c550cea81adee92a87bdf75dcd0c0e
SHA25656b5bd88db27812e9363a06fa2292d7b13b80359e1f4e472e92d44a7d573b5e7
SHA512b4fc04cc9109d6d103e2455bcad9337e091f0ba4b581497c7f34cd68717abf1acf9dc4338bc72cb531f0360f9666bb36b6a2601882582598cb255e9f064176ee
-
Filesize
8KB
MD52b082f6dba4b77ddcbcf1ed1ca6d022d
SHA133ef2608c7e3c77c877252f1a926ab7d6ea57579
SHA256728bc123b45cd657940616fa36d8c4f90da07f9cf2fb033bedd2eaf8a4a5565b
SHA5126e920f673b70b4e7c3b5c62f5757aa16d2f7b542e14bca414ea8138f23afe7f085008f5b5d8919fc3afb2788d47d4d7ebb8aa5448d3a7e1525a6b13e2d50f7fb