Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4adb1bb845...cs.exe

windows7-x64

10

4adb1bb845...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/05/2024, 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4adb1bb8450c4af3c0552408ea1190a0_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    4adb1bb8450c4af3c0552408ea1190a0

  • SHA1

    e8d7c61a5a645d3356fd0d12a7a4bcae69cdf14e

  • SHA256

    1537b5b12d2b63a2b8ba799bd16d84a6a8284cedb3582eab3452c3d16786e493

  • SHA512

    d2b72d733925d68881bb2866d8095fb55dbbc274b647cd9cdb362242d683676af7677220c8ffc684be78a713f3e218aaaaa909b036ef04dfa5837d5702ebeff4

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imuxg3gRYjXbUeHORIC40:uT3OA3+KQsxfS4hT3OA3+KQsxfS4u

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 22 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4adb1bb8450c4af3c0552408ea1190a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4adb1bb8450c4af3c0552408ea1190a0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2896
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1384
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:568
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2704
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1840
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1904
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2692
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:308
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2152
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1216
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2452
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1480
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:908
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2788
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    4adb1bb8450c4af3c0552408ea1190a0

    SHA1

    e8d7c61a5a645d3356fd0d12a7a4bcae69cdf14e

    SHA256

    1537b5b12d2b63a2b8ba799bd16d84a6a8284cedb3582eab3452c3d16786e493

    SHA512

    d2b72d733925d68881bb2866d8095fb55dbbc274b647cd9cdb362242d683676af7677220c8ffc684be78a713f3e218aaaaa909b036ef04dfa5837d5702ebeff4

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    02ccc3978540588bb8c973f4c14490a1

    SHA1

    cb394a744fc9f30138d31cf46854fccf88644c85

    SHA256

    9f80a803614155b42aa3ca4f865544f8a494bde66ba1e7d960ce2eaad41ce20a

    SHA512

    829c10e6bc2ce977c0c1a46784aaf344728958e2a3a2a98af7f3d3762bd2e7c52114398f3653bb1e6118ebe019a8d675d755fee3cc89cd2434f603ccdda764ae

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    df1fbcedd36f5e009e1c9acffa5531f9

    SHA1

    e64eca9dbc8b30898d0a6b28aab47fc9a8003d36

    SHA256

    f21786219342d6c39bd8f36fade4a761d710a215c4f6ead28defc6eadbcb3eab

    SHA512

    ad1b1affa859d5ad82451bfb16114a69ab23adb587a7440923fbec0ab741542d79287f54388b192c5641f94e0faa4acea22fc2ea3e75e47ac62df13c5416f974

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    24f884ad30bba6743074078515384083

    SHA1

    75fa4dbb9b53c1ec365f3cd3a8dc0bbd7bde1f56

    SHA256

    366d0c4c20aaa70b7d1e9a4acc6a558247df390ea027b0eaf9fbf8a25ba87503

    SHA512

    fb3fe7fef6cf93843412cd7143bf261f28fc9cdcad10c21b79ef11ee9e31347466143df53b3c1b0437a82b3d3e5de818471d2314cf6f5ea8a57103df2e39b91c

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    1b30d9dbfc61402665dff649b4307745

    SHA1

    9dc02a8d8bb7228e4b9d4c26bd48b3b0d2f28f19

    SHA256

    46fa72e89a3363728afc0a59cbeaa0f62b5b5dd2f73880ccf56cee467e5cb18a

    SHA512

    d27ea9e1221065635fb041a9706a1c8553b84a11c1766c7cdf8b6be127c87a0b6980f437e3c76d36c8d736d15366be09c3b0276e1e51c307d66a0b8d4131fc5d

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    37d6d2e20d5695af641f6e28c8bd9b91

    SHA1

    6b32cde30fac8059e62d9b784855b18bf79726ea

    SHA256

    2bec76dbeb28f1c064e2bbbabb85e180e53bec6772f91a893e31d9d8b03fb5b3

    SHA512

    08026dd6aaed14ab3bea18cb52e0145b4b7ffea8892d26bad640fd4565e80dd923d54955e17e923d476d9eabbf1a66b7ab4f3196210c7ac7381a2b1fd1c68941

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    5b047db3b9ff0512bdfd3626828c893d

    SHA1

    db5a0273f23f7a0b8ba9631f85fdac07fb472570

    SHA256

    36a5515281036bf184c439a2aec9243b36571620ab2c2779eda0ad6b285f4ba0

    SHA512

    e0eff4f2fcd52e8f513c49289b4e15537ff9fb1c694dea95ecd21aedae7793a411ab595f6c3ded7d30421eb9d8b401350c1fae674f082132b15b52aa0fe01bd0

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    f72e3c302fb1489e7a662459c4936e63

    SHA1

    603259de721308eff8b1143b25674952662ceb62

    SHA256

    b7ac102c472bb55479655307ae70f92411880490fe217ff4d9e2a4c23e865ffd

    SHA512

    276836e1546d2fe346e6260e2f8ad7b63468f1c689b9aeebf782b216ed7f74fb24ad2e2efd8074b48dfeb48b5c27e450543c3f4beaa672aa54ec19560e7339fa

    Download Submit

  • memory/308-245-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/308-257-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/568-132-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/568-131-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/568-138-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/568-134-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/908-311-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/908-318-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/908-316-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1216-277-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1216-272-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1384-115-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1384-122-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1384-116-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1384-120-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1480-298-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1480-303-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1840-168-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1840-163-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1904-181-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1904-177-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1904-183-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2152-258-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2152-263-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2452-285-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2452-290-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2692-196-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2692-191-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2692-197-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2704-148-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2704-154-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2704-149-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2788-331-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2788-327-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2896-2-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2896-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-226-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-224-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-244-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-271-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-326-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-481-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-176-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-1-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2896-147-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-162-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-4-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2896-151-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2896-315-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-146-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2896-130-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2896-114-0x00000000025A0000-0x00000000025CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3032-356-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download