Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16/05/2024, 23:54

General

  • Target

    5d8ad6f99e3a5dfce870f60ceb879410_NeikiAnalytics.exe

  • Size

    119KB

  • MD5

    5d8ad6f99e3a5dfce870f60ceb879410

  • SHA1

    abe4f368d76d3e4926615cd2818ba3ed8a88f4e8

  • SHA256

    0b278aead63f82b1bf4f3748a50bfc58eb495ffc9562c77c0ba3ec7d37fdab6e

  • SHA512

    ff19bc7c3976d732d642782ee0df08ca435b7deb2fa4e88283cccb56b30f716afd250e7c6548b2cecc4f242c1343cb85193b3bb67b4ee1bf7113a1c7827d0684

  • SSDEEP

    3072:0OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:0Is9OKofHfHTXQLzgvnzHPowYbvrjD/E

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 19 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d8ad6f99e3a5dfce870f60ceb879410_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5d8ad6f99e3a5dfce870f60ceb879410_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\satornas.dll

    Filesize

    183B

    MD5

    dc8a463a7374301e4a36a2074d018baf

    SHA1

    fb6aeab1efedb5ca398254b0a7fd8f39e62b2137

    SHA256

    b49282f017f20d4c8d4024067c20bda0c8625fc4b57d2a0be419e8580fe34171

    SHA512

    167b5df245bc890c4d9b1e6d2beecef858d383f53ba7826eb791a5e04232cf7f1852310184737268c3943fc76391b44f5911102433fcc1f419e08d05c3cb0379

  • C:\Windows\SysWOW64\smnss.exe

    Filesize

    119KB

    MD5

    21985e5ef4ae23ae53cea34dfac4368b

    SHA1

    262280a2a567201b66b37cdcd903a1026f563374

    SHA256

    cd116dc96ae3b834f2625c8e5dcf18dc4e0bcc62d1248ba1470104c1fded514c

    SHA512

    8e3671ce20b567bf5a6abf0f1a1fbb3fa6f37836ff0c4889ee8a7cefbb350ab1e34f4ba68914537ff35d6766644100ff347fecde9cde576a365e8db5704ec602

  • \Windows\SysWOW64\ctfmen.exe

    Filesize

    4KB

    MD5

    db5e048a8f3a51ef54f1222a95a865c0

    SHA1

    bfd1f1777ea61b5ebd5115ef9d2febcb93f9ea57

    SHA256

    887f83500f311f0cfb69a7ff7ffe25b51e3ab6eda68e1ce90fe02115e52ea04d

    SHA512

    77ca561d5546cd04b019b5cece105539c343b7f190d3a1437187ebf59d3b01c8510349ae49abeac025e55f66653d6935833c1530376e75be6358112ce0265303

  • \Windows\SysWOW64\shervans.dll

    Filesize

    8KB

    MD5

    38997c0a92a0d43ebe8cf759039bd3d0

    SHA1

    fa40207e9fb8474111c39b756df3a47b3c699f05

    SHA256

    3590a4300312bb20ef8d62bd021fd884c4aa61af65ebee2fbe8739fc177cfb57

    SHA512

    0b09ba7ff2050e493e5e32fe95f2e15a9f7f27f187e997d5c9f4ceb55113d8d8943f075df406184f8042d2e7b9a5ec1568240b8a9dfa325c0988f6fda0f483f4

  • memory/2412-26-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2412-27-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2412-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2412-18-0x00000000002D0000-0x00000000002D9000-memory.dmp

    Filesize

    36KB

  • memory/2412-16-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2748-34-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2748-41-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

  • memory/2748-44-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/3060-28-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB