Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

661d00e1da...cs.exe

windows7-x64

10

661d00e1da...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe

  • Size

    741KB

  • MD5

    661d00e1dabffbf922ce29544c1c4760

  • SHA1

    eccec63f4fd0153b555f2e19734595c97f213881

  • SHA256

    638a986982d63c68d6b82c885ec565164eb8c12d82a6e48db1de200858963fba

  • SHA512

    c927cfd89e110f0731f3242d3c091c60b4a1ebc9efce774d1dd0196dd8f11b5034722fea04e3363ba12121e598fe0c5421ecf37e4d1f00c2a727d03752611d2e

  • SSDEEP

    12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1FA:lIt4kt0Kd6F6CNzYhUiEWEYcwY

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4780
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2492
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4900
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3524
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:4612
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4668

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      741KB

      MD5

      d299251a92a9f1e688192c14271845a8

      SHA1

      8cda1159983476a5cee4d90b5a288293232ff3ae

      SHA256

      4157bb375651a07eb05a1ca867746510d9b9d8b70bfa79d9ec2667ab5fec5fc3

      SHA512

      987d347dbdb1ffaff4faab06542a8728360af37c46223538c41ba77dfe46717b458670f6e45f29030ac6077785ae654d47c52d6cd3e9e2797ed56e5bbc481328

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      741KB

      MD5

      0f38854ef769d1fb1918abd4a7bcd2c4

      SHA1

      e951b2fb692ff709d3cb0f2d655b7d8e68cfef3e

      SHA256

      4473a9163c0d2a49df7268198a29f4e041e2fd825c2b5f0efa480d181a84a37d

      SHA512

      68c0a5fcf8fb030d31ba3e70eec56ff3925bdff09ccc11bc962d86596210deba80bbd4f861a1704772cfbef37a5ad886e78a10b822c59e62b396dab23ab8d615

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      741KB

      MD5

      5fd9b3a35eba1a85c55d7a3e1ceb959a

      SHA1

      c3c11f0af6791739724b4035ae7952b6e6078fbe

      SHA256

      b9125bee209484c518bf79959c760e7268aa3c7f3ae12b94b397f5b403ee01d7

      SHA512

      6cd45bfae2e3f8e0b60e64aca7853e523f06f2561fa00c27eb6d6410d9e09a545202304c850ce31f17ffb698370f83012a57e02eb38ba260d7b8adfbfbce76d3

      Download Submit

    • memory/2492-45-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2492-39-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2492-59-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2492-51-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2492-43-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3524-48-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3524-50-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3524-64-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3524-40-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3524-42-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3524-60-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3524-44-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3524-52-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4612-35-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4612-30-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4780-4-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4780-38-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4780-0-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4780-37-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4900-36-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download