Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 08:22

General

  • Target

    0388d914c3e63c41b73d634a2510a250_NEIKI.exe

  • Size

    119KB

  • MD5

    0388d914c3e63c41b73d634a2510a250

  • SHA1

    7358323fea8ff5237af2d26a2b8dc265e793255c

  • SHA256

    55907f0cbaf84764fe97d1dcc9f3230c1572010e2f424eed6976fc85b6650359

  • SHA512

    ea8f3d0f09d3bd14f7c3f249cf17df1061eb1081d0cfc53710f84d73e58f1528601da4dde95ab88556529013af6a240e21ddd209eb8ca656e4aec13816871173

  • SSDEEP

    3072:lOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:lIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0388d914c3e63c41b73d634a2510a250_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\0388d914c3e63c41b73d634a2510a250_NEIKI.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3132
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1380
          4⤵
          • Program crash
          PID:1488
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3132 -ip 3132
    1⤵
      PID:3640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ctfmen.exe

      Filesize

      4KB

      MD5

      b82348b3bba70f9eceebc29fca7c95c6

      SHA1

      541a45217a514393cd49c6f1a79f44c661be7b4a

      SHA256

      8edc881d7ae81d17a7fcd27bb658383b45fe2cdcd0cdbe5256e1ded2f497d41d

      SHA512

      da3287f6d89ff3e5ba7f8836eac7db6252fc93f9a0b29405f487b0bee407502f574b0f6657211041e435aa1bea8fb6f3968041a06620c28a384273f3a0949d52

    • C:\Windows\SysWOW64\grcopy.dll

      Filesize

      119KB

      MD5

      e8c85f3f389c9c46d75ac8a6161823d6

      SHA1

      a0b69153ac276777859daf390b6b6a6e2716aa13

      SHA256

      c6ff547435c3cba861d6742843f1dbac44385790b8aa3bad8e6e98855ef2e5eb

      SHA512

      09ce726ba46946050d9eeda3f6e8c1dff573bb7c1603b4367a6be6211a0f9932bc3993e51eccf4c0c5f67f8a9bbf6c823ef01a5d43a7040195e173b0fd5ba57a

    • C:\Windows\SysWOW64\satornas.dll

      Filesize

      183B

      MD5

      b3c24adf89d92c8653512df562268d9b

      SHA1

      fb55787763c550cea81adee92a87bdf75dcd0c0e

      SHA256

      56b5bd88db27812e9363a06fa2292d7b13b80359e1f4e472e92d44a7d573b5e7

      SHA512

      b4fc04cc9109d6d103e2455bcad9337e091f0ba4b581497c7f34cd68717abf1acf9dc4338bc72cb531f0360f9666bb36b6a2601882582598cb255e9f064176ee

    • C:\Windows\SysWOW64\shervans.dll

      Filesize

      8KB

      MD5

      2b082f6dba4b77ddcbcf1ed1ca6d022d

      SHA1

      33ef2608c7e3c77c877252f1a926ab7d6ea57579

      SHA256

      728bc123b45cd657940616fa36d8c4f90da07f9cf2fb033bedd2eaf8a4a5565b

      SHA512

      6e920f673b70b4e7c3b5c62f5757aa16d2f7b542e14bca414ea8138f23afe7f085008f5b5d8919fc3afb2788d47d4d7ebb8aa5448d3a7e1525a6b13e2d50f7fb

    • memory/1808-28-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/1848-0-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/1848-18-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/1848-24-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/1848-22-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/3132-27-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/3132-37-0x0000000010000000-0x000000001000D000-memory.dmp

      Filesize

      52KB

    • memory/3132-39-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB