Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 19:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe
-
Size
224KB
-
MD5
301b92f66a94e8bf3b7f6c93dc761f30
-
SHA1
8cf96e36787dd889b2e76e9f2ca4c559496346b9
-
SHA256
f1d032fb99da003501008c140a2e991145472214f3b992f9e7dc88e0d9e667b7
-
SHA512
07023d0091a11c3cbff57ff68a8203fed0bfa81132d55ff748aa6f1bbd455ae101462282c40aac14996febe840552b0782ad05b9f3518729c6c61dad0b4bf815
-
SSDEEP
6144:0Is9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCtZy:VKofHfHTXQLzgvnzHPowYbvrjD/L7QPo
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00380000000141b7-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2648 ctfmen.exe 2756 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2204 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe 2204 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe 2204 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe 2648 ctfmen.exe 2648 ctfmen.exe 2756 smnss.exe 2552 WerFault.exe 2552 WerFault.exe 2552 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\smnss.exe 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\shervans.dll 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\ctfmen.exe 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\grcopy.dll 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\satornas.dll 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\mr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2552 2756 WerFault.exe 29 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2756 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2648 2204 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe 28 PID 2204 wrote to memory of 2648 2204 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe 28 PID 2204 wrote to memory of 2648 2204 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe 28 PID 2204 wrote to memory of 2648 2204 301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe 28 PID 2648 wrote to memory of 2756 2648 ctfmen.exe 29 PID 2648 wrote to memory of 2756 2648 ctfmen.exe 29 PID 2648 wrote to memory of 2756 2648 ctfmen.exe 29 PID 2648 wrote to memory of 2756 2648 ctfmen.exe 29 PID 2756 wrote to memory of 2552 2756 smnss.exe 30 PID 2756 wrote to memory of 2552 2756 smnss.exe 30 PID 2756 wrote to memory of 2552 2756 smnss.exe 30 PID 2756 wrote to memory of 2552 2756 smnss.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\301b92f66a94e8bf3b7f6c93dc761f30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 8244⤵
- Loads dropped DLL
- Program crash
PID:2552
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD501ce0e90d380d622d8212adab18a1d50
SHA15441c927b5f73dc312c28bc8d65d2ce0c37b5a65
SHA2562fe991510954092bc4e1fd533d11fa82b480053cdc8701b67d0fe085141f2b1f
SHA512739fbe611dee3c8d3dbd98c6c5fd7829d0db0d2a35d8b385f0dfcb8d5fef0a8e7b4b5ddf134e1667710bc8b9859fed310c2a7849e7d3fdf246b8c52b48b7caa0
-
Filesize
4KB
MD56819a29dfbd1e49ae66b7061269fee7a
SHA1edfa624b0531fd5b0f1d2caa583dc467633d4ea2
SHA25650a2ba00b6fe03fb94ca518e90aad8b689b8cfca69328ec5aced964e09055449
SHA512dd5cc274d19fe401fe62aa525f3c91d8b4269391528e7e9256bc52d46ad7ebeb851c60b1b3522338b5191d4c6d1bf4a3cea67a601ce1ad4071aef3863a847e11
-
Filesize
8KB
MD5f172f0870cb48c141b9281060b3700b1
SHA11c2d3b4821d872bb728ae989594ab8024945561d
SHA2567899d0f99d279c32a3b21176e2034fbefed42ed78ab46d578cd19d100479673b
SHA5126fc497ec714056f9cd6933a70f8ec50ddcd2872c2ad54c77d11e089f4ddfce68e41ae0644f06e2b58a1a1b3a7cebc3d60918b76fa2167777e92e892e0d16376c
-
Filesize
224KB
MD582c0bf3dc3a8f05e41cadfe0ddfcf563
SHA15332fbb1220c6d6670d201a48da5ae8e07caa0fb
SHA2564cd736ae9c4c096921d554ac6c7a20a903a259ec2749e65d432f976d321a8994
SHA512dd45c366ad66dc5688d4251f922ac7315baea6fa98969e041495cb74969f78ef4f43af63f91a9feef3b4f87c2729a60ddd6c3219618de57485c4f4c03ef00b6d