Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 02:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
Resource
win7-20240508-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
-
Size
937KB
-
MD5
c82ac52c53951e50ef5f24e9dabeb100
-
SHA1
d4dbf04026c7626a2fed88119ebd5f3acf7170c1
-
SHA256
2766d859d6e8c9e2f62df1f2c2351a4bd2ff4b269a199049111d40af74ebba6b
-
SHA512
1bd89480b7d49bc83554da480d5ffc19b92811baf704fb4544a3ce66b9b399bae76a9a4a5f8dad90ed0de5b70c269bb576e82332a511e945f8b5d1f7a63c6f2e
-
SSDEEP
12288:jwKfOVRo9yRY0q6EQUj0ESA/RfAoF2ePMM:jxWVeyRY0P29rMM
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3036 microsoftsystem.exe 1996 languagecomponents.exe 956 customersupport.exe 2360 toolsmicrosoft.exe -
Loads dropped DLL 4 IoCs
pid Process 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsOperating = "c:\\program files (x86)\\common files\\system\\ado\\en-us\\microsoftsystem.exe" c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ComponentsNatural = "c:\\program files (x86)\\microsoft office\\office14\\proof\\1036\\languagecomponents.exe" c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ToolsStudio = "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\toolsmicrosoft.exe" c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WindowsOperating6.1.7600.16385 = "c:\\program files (x86)\\common files\\system\\en-us\\windowssystem.exe" c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\transmrrlocaldv14.0.4750.1000 = "c:\\program files (x86)\\microsoft office\\office14\\convert\\1033\\localdvlocaldv.exe" c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices" c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe" c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\SupportCustomer = "c:\\program files (x86)\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formstemplates\\customersupport.exe" c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe" c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\ntdll.dll.dll c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File created C:\Windows\SysWOW64\ntdll.dll.dll microsoftsystem.exe File created C:\Windows\SysWOW64\ntdll.dll.dll languagecomponents.exe File created C:\Windows\SysWOW64\ntdll.dll.dll customersupport.exe File created C:\Windows\SysWOW64\ntdll.dll.dll toolsmicrosoft.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\System\ado\en-US\MicrosoftSystem.exe c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\CustomerSupport.exe c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\RCX3D02.tmp c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File created C:\Program Files (x86)\Common Files\System\en-US\WindowsSystem.exe c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\System\en-US\RCX5314.tmp c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\LanguageComponents.exe c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\RCX3CA3.tmp c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\en-US\RCX3CC3.tmp c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\localdvlocaldv.exe c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MicrosoftEngine.exe c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\ToolsMicrosoft.exe c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\LanguageComponents.exe c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\RCX52C5.tmp c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\RCX5334.tmp c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier toolsmicrosoft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString microsoftsystem.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier microsoftsystem.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 customersupport.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString toolsmicrosoft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString customersupport.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier customersupport.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 toolsmicrosoft.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 microsoftsystem.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier languagecomponents.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 languagecomponents.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString languagecomponents.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3036 microsoftsystem.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 1996 languagecomponents.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 956 customersupport.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 2360 toolsmicrosoft.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3056 wrote to memory of 3036 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 30 PID 3056 wrote to memory of 3036 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 30 PID 3056 wrote to memory of 3036 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 30 PID 3056 wrote to memory of 3036 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 30 PID 3056 wrote to memory of 1996 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 32 PID 3056 wrote to memory of 1996 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 32 PID 3056 wrote to memory of 1996 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 32 PID 3056 wrote to memory of 1996 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 32 PID 3056 wrote to memory of 956 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 34 PID 3056 wrote to memory of 956 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 34 PID 3056 wrote to memory of 956 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 34 PID 3056 wrote to memory of 956 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 34 PID 3056 wrote to memory of 2360 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 35 PID 3056 wrote to memory of 2360 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 35 PID 3056 wrote to memory of 2360 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 35 PID 3056 wrote to memory of 2360 3056 c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\program files (x86)\common files\system\ado\en-us\microsoftsystem.exe"c:\program files (x86)\common files\system\ado\en-us\microsoftsystem.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3036
-
-
\??\c:\program files (x86)\microsoft office\office14\proof\1036\languagecomponents.exe"c:\program files (x86)\microsoft office\office14\proof\1036\languagecomponents.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
\??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\customersupport.exe"c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\customersupport.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:956
-
-
\??\c:\program files (x86)\common files\microsoft shared\vsta\8.0\toolsmicrosoft.exe"c:\program files (x86)\common files\microsoft shared\vsta\8.0\toolsmicrosoft.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
939KB
MD57c9911169ae3369fdd4612e33bd77db3
SHA193970f37e29c1eea80973a93adcb85ddd2a27f19
SHA256f788d80663e5e031182fd79e19b7fe0ffe699dcf92b5c124e910b90eca10c5ff
SHA51264093f3141a7590565e4d434cb2d8308468a9df8629a2ccc4ed383f718a3ea9c8038b16bfe94bce5893570cdb4ab86957d916bd5e85c2d41e3b258ebe878a7f8
-
Filesize
937KB
MD5c82ac52c53951e50ef5f24e9dabeb100
SHA1d4dbf04026c7626a2fed88119ebd5f3acf7170c1
SHA2562766d859d6e8c9e2f62df1f2c2351a4bd2ff4b269a199049111d40af74ebba6b
SHA5121bd89480b7d49bc83554da480d5ffc19b92811baf704fb4544a3ce66b9b399bae76a9a4a5f8dad90ed0de5b70c269bb576e82332a511e945f8b5d1f7a63c6f2e
-
Filesize
939KB
MD53de57b228c46b8c23edba7bafd20f8a6
SHA147beb56eea14c76bc65e9359df72d2daf6aa5c65
SHA2562c9a00bdc49856b85251abbe3da7d38d7fe9baa53c0c52b54b4075298e1808fb
SHA512572a5cb54ddb46bdf0446024f375c099e1624d7b182b00a1a62bf19fbecc37b81ba9a8ce8d253218b8a13e8fd2dffa1b65c8f867afb9aeb22a15fdda15f6f855