Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2fe1f7f748...cs.exe

windows7-x64

7

2fe1f7f748...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2024, 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe

  • Size

    191KB

  • MD5

    2fe1f7f7483896f0544b19dfe7969490

  • SHA1

    a2e8211d41017453a6e7623af36d26019692d402

  • SHA256

    b186f549a48bf83d51b27e3ca265d31f6a46a4e1d91a0cac0b5bc867c06e39bb

  • SHA512

    e23f44e8b6f73f0acbe86b87039c8ef86bb118d7ca3402f4494ace74d520c5ffc9de3059f9494e324cac980b3162f87cdce6dbae2dc38044475cdacecb2b85cb

  • SSDEEP

    3072:2AKEsYqqjfipJWYpWJZfGXFxUYyaJC6sOMD5Qjj9jRMKSlJ8subptbbG+X:NKE+qjfipJWYpWJZfGXFRJJRsOM9+j5L

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 14 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 5 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe"
    1⤵
    • Enumerates connected drives
    • Maps connected drives based on registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\ProgramData\UserRuntime\ntuser.exe
      "C:\ProgramData\UserRuntime\ntuser.exe" 1
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Users\Admin\AppData\Roaming\UserRuntime\ntuser.exe
        "C:\Users\Admin\AppData\Roaming\UserRuntime\ntuser.exe" 1
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2380
    • C:\ProgramData\UserRuntime\ntuser.exe
      "C:\ProgramData\UserRuntime\ntuser.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\ProgramData\UserRuntime\ntuser.exe
        "C:\ProgramData\UserRuntime\ntuser.exe" 1
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Maps connected drives based on registry
        PID:1716
  • C:\ProgramData\UserRuntime\ntuser.exe
    C:\ProgramData\UserRuntime\ntuser.exe
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Maps connected drives based on registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\ProgramData\UserRuntime0\ntuser.exe
      "C:\ProgramData\UserRuntime0\ntuser.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:3676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\UserRuntime0\anut.drv
    Filesize

    8KB

    MD5

    1419fa574316de80b0d0bf3cdf712630

    SHA1

    953260a99abb718cfe8bdfa81dea91ff47c777cf

    SHA256

    8a45195149bcfdf2e3593522901ed7e1f8eca5bf489e43bf6c4675e8e6f85f2a

    SHA512

    8b89d36e170f965fcd76a7f1c985b6ca898556bf04557bfc7f085b53eab4c2c643387d9fbe201353fd6e6d7a434f574be3d9ca45d17710a403f2695933d2fbf3

    Download Submit

  • C:\ProgramData\UserRuntime0\bihoapmut.ocx
    Filesize

    2KB

    MD5

    473fe65d1683749fe9b883519d15aac7

    SHA1

    7d7ffc27394d91d925a0aedb8a08bc6e4b1add32

    SHA256

    67b75b896a4adb2f5ccdfaca13f850d8a4c99054f1780c320b01985a6dc94b81

    SHA512

    063511c0ad2b1ad22655cbc25ff835233d03c2a27c4f9db2d66e3d280ffd541c7fa43b450277748594cf6bc80e2628272aa1db2223535e7e2415e3590b68f822

    Download Submit

  • C:\ProgramData\UserRuntime0\drt\maacdo\daobeq.dat
    Filesize

    1KB

    MD5

    aa5b45aef054f7aadabc9110fd876998

    SHA1

    9969539937fe68ec61fdc0d304ee8c728b480405

    SHA256

    928c86f6218810d0fbe453fbd789c9b16b65440bd4cb8e610cd932884c823ec8

    SHA512

    8bd7d69b266bd97660e40b725148963b78df26bd50061d1233f0307bd80b15ab57ab6a148dc2bb47ceeabebbcd22cb95102a5239df7262374aa09f9875d1f44c

    Download Submit

  • C:\ProgramData\UserRuntime0\drt\maacdo\kaa.mui
    Filesize

    5KB

    MD5

    5c489b8ab4e3643a7db8e1c6e3c25f63

    SHA1

    2b15777e22a503f2f31e87695f75945cf485aa55

    SHA256

    7b5ed57fe3e60638c30613bbfd6967c745cca138c62a39bec14efc46c14a992b

    SHA512

    3e5778ee980d20f4fe6ee8f797f68edfe8f6b20cbb31bed81b990f8143b0dd648f8a1720b9df2007435f392498d0d589431f5c7a59746691fbedfe43e6309403

    Download Submit

  • C:\ProgramData\UserRuntime0\drt\maacdo\ubufulvoo.dmp
    Filesize

    5KB

    MD5

    ab365d8976ed2b3258976c5c8239e06a

    SHA1

    4293f7526b61f84b7710dd121bf3033cc9555b31

    SHA256

    ee4010cd1d5953af082992a5d43a9bd5141cb72d56ffe8fa1af762d9e3cb6eae

    SHA512

    6eead0c9d5fc4c6f2e6c9ef581546a78e666b6e6b85e834b2e0947c97fc7d92ab3db013fc6862c4eab1d971b4e4fef27e4ee4d3afa966e95a94895b600433d1f

    Download Submit

  • C:\ProgramData\UserRuntime0\drt\maacdo\uvalacnee.bin
    Filesize

    3KB

    MD5

    4299e0db1510534898388f591b4c2295

    SHA1

    f34c058f0bb6cec1d0a7bc1ad68bb49777be08ae

    SHA256

    2d056d09e6ab3ae87db6cb374fb3b7523963f99852fa9c190b667944ad8ee34c

    SHA512

    a3901757a2870b6f3aadc67ba5e48958b58aeb1aaa3d583c0cdd8f32e29b1ca4a208d5d312f4dab17a893f927f20103ff2ed77d01d0f9bb102427f503c178c1a

    Download Submit

  • C:\ProgramData\UserRuntime0\fodoki.dat
    Filesize

    8KB

    MD5

    93d12ff491e7be55ca224fa07bf313ae

    SHA1

    cfa77beaedeafeb1e4108aed8ff045ab9252a2b2

    SHA256

    72852ebe3bf2f28cbac6cb80a8cc98bfea05af0ca83d99706581a05f2c0a978d

    SHA512

    6ab02d6e3ccc307bc8a7049316d45ef59d8338a0bf29c1cc2cef876919395a0fe27f84dfd3e2b7a22347f0cdad3e12741bc5a94078c8140bcf118f7bcd75ea65

    Download Submit

  • C:\ProgramData\UserRuntime0\sadahe\ewalvigas.ocx
    Filesize

    1KB

    MD5

    9330013c06b48138a2e4d474e224dec6

    SHA1

    7c2232c982cd9c93f75295944ed53c2f7c812bc5

    SHA256

    2d12fefc20d94530afe46f9ae0f1741cc4913e0a22486ae56cbe2764f8b1175c

    SHA512

    75fc679ca41e61d1e3db0e72b171e10541f4011cddaf4d015e284a1a7cd61f79e6bd33c54374a0d602fc0ebecb3408422b7742bdea25897469be2cbe6d091041

    Download Submit

  • C:\ProgramData\UserRuntime0\sadahe\igered.dmp
    Filesize

    8KB

    MD5

    5132fd710af4105779f70b94cad89a06

    SHA1

    132626e35f8a2854ad11da36ef7bb4dd36f93ca3

    SHA256

    24603bcf42cfe695fa6888a0c3664cbdb7da0337a05f74a5b9936decc1bea71f

    SHA512

    b3981a61e47850eb250263886030de10489e62fc4864241b359cbd076c34cc46d8c94a5c27cce366533d1450aace4d49d60bb882de298f31196bcce7408b8764

    Download Submit

  • C:\ProgramData\UserRuntime\ntuser.exe
    Filesize

    191KB

    MD5

    f8941a6304ebe85953386f13fe7ca306

    SHA1

    c85cb2e2c6adf254846da6da1a224e29636d5544

    SHA256

    0e0837bb30fb861802742ba8299cbcd92071daa0972614ed9b682bed4db689a3

    SHA512

    f5ec72ade81a386a5dfda6a5a56d75a3c65877da0dbb8a367a4a50474f6d210b613c3d5305e5f961a19a629b8c7f27359499ed2189c53c8f9dd017fb33db7efc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UserRuntime\drt\epax.drv
    Filesize

    2KB

    MD5

    a0781b1c2ba122af02ec8e6ea7a30833

    SHA1

    c1fa1782642be961ad2a681a1096094c4f4171a2

    SHA256

    3cc84c2df684098547ea9a3fe727d752782495f942a1d71f88e1eba204832528

    SHA512

    944a5fd9325bcaefa438b387a1955419c4d058fc0bf31994be180418bfad7cec7083ae0bebff1f4a95a9777852488cb265bf34f012d86faa5d70e9a89316da50

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UserRuntime\drt\ficaeti.drv
    Filesize

    5KB

    MD5

    ac27da1b140ea06497e7e092e882df9e

    SHA1

    8cfb75c118a3e94b7fef85ec80c73baf2db7f974

    SHA256

    a537ff35db3b480f3ab33f97fd1fbfd56143e3c4673c7df2116d20c5a6df595f

    SHA512

    fae0b1fec292fe9d93834694a42890a8feb6399dd2d44edd5b797acaa388e8f06f0fedbab3e1ce978031a156abfa746b1e3243a01a736b5582f4373b2177fb05

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UserRuntime\drt\naursewoo.bin
    Filesize

    9KB

    MD5

    4d2e86d2c3b2158acdf2e1a9e2d9a568

    SHA1

    ccb29d1f57b788acb06df0e46d43a76373b77bbc

    SHA256

    2d1ba7bf28032315912bbb7eb0d8bfec96fb7f4b72ce87fd749350b99bfe236c

    SHA512

    b50f16a588de77eea303527a0e8519205d62717ffe27d4c8d304490ce5970f2ff7a628405a827fdf5241115e71467e8cf2edd4c07521b8b0d145432522aa747f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UserRuntime\drt\obleuxsu.cat
    Filesize

    2KB

    MD5

    74184f164087fa614d360f22da4ac73a

    SHA1

    4f8d1093a5189f846e94f44ab55262deaeabdeb6

    SHA256

    18a00174d839117437542236b30de0ca37049c0ab1a5741cacc10aaf40724ba2

    SHA512

    9490c6bdecd9744962c2fef6de77d4e1f018e3e64a9e609791130f46d627dd634ec631a94a08ef89e1fb8b1ad0cd9ae32592a2a222e54b4d4b8bf955fc3d07c4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UserRuntime\drt\wuw.bin
    Filesize

    7KB

    MD5

    7e83645b973980e4dbe3b69b0a9fae74

    SHA1

    a0e524aa9e72d7732de43742a470be8f691ccc9a

    SHA256

    bf72a40c5ace625d82f4aade642d45de6d01ef4c4ab3d41540bc8e35ff674e2b

    SHA512

    dcd616427bddaa6ab0035f3f842762585c412e4aed7f8c81d6855c88739e0df5919e111d1529e9d9fd68e583120e371cf1fe2afd6d9d1f8fcd4fdcb2515f5138

    Download Submit

  • C:\Users\Admin\AppData\Roaming\UserRuntime\ntuser.exe
    Filesize

    191KB

    MD5

    eac9d748c72cd552ecddc140e078193c

    SHA1

    8deff6db450f5357de442bafde8626fd9fdd4145

    SHA256

    71531b75b2f59e998f864ce2907fa8f406033290eb3da1aca295308267c9a6fc

    SHA512

    96d14bf712ce7f99425a4042653b9b191ed1e7bd8dc3d1bc3b8592d870e4f1d0a2d94ee6024479d04d4d68c30088acacbb3cb402431513633924ff5b6ed8122c

    Download Submit

  • memory/2380-103-0x0000000073F60000-0x0000000073F99000-memory.dmp

    Filesize

    228KB

    Download