Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cbbf1380aa...cs.exe

windows7-x64

10

cbbf1380aa...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe

  • Size

    96KB

  • MD5

    cbbf1380aa0b20b6dc71dde6ae9311e0

  • SHA1

    8979f0d70fc98c05a7ea40d93f08e014924963f1

  • SHA256

    1b2e1929601cdf45d0f2ee5875758c74bd5723ca8be1d3400bbe27db231f2785

  • SHA512

    d7af1756b22918128e28ae0d3d319c7db67fd30c26af77872894e6054b5bacf9a006ffc183ce0d6df5f0d70fda0c75f58cfe452a66056389957025135d9b8015

  • SSDEEP

    768:ef4JA5kWTdnURLQ/JD60XDeVtA5YwmHwWW2icNe78ljNZQcytSq:eZkSdIQ/JDHKa5EJWceYljNZQTSq

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Users\Admin\koinof.exe
      "C:\Users\Admin\koinof.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\koinof.exe
    Filesize

    96KB

    MD5

    dc45ac3b27eb39d669515378313d88ce

    SHA1

    9a360f033336e5a37e8ede363d08ae5a813e3543

    SHA256

    951ade07622cc9b1a438e5f72e65c64e6a74e61b4536624ecc7275eb59bb861f

    SHA512

    9fdc3d99b1a21908ede8a26cf21b2e4c09ad646711fc1ccc3a6c3e6c9e2a9ce5659d24b8c54f4ed7918c5f649bbc836ab626487edbd5315bc143bcf3024c780f

    Download Submit

  • memory/2744-21-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2744-26-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4744-0-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4744-25-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download