Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
-
Size
741KB
-
MD5
661d00e1dabffbf922ce29544c1c4760
-
SHA1
eccec63f4fd0153b555f2e19734595c97f213881
-
SHA256
638a986982d63c68d6b82c885ec565164eb8c12d82a6e48db1de200858963fba
-
SHA512
c927cfd89e110f0731f3242d3c091c60b4a1ebc9efce774d1dd0196dd8f11b5034722fea04e3363ba12121e598fe0c5421ecf37e4d1f00c2a727d03752611d2e
-
SSDEEP
12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1FA:lIt4kt0Kd6F6CNzYhUiEWEYcwY
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2492 explorer.exe 4900 spoolsv.exe 3524 svchost.exe 4612 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
pid Process 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 2492 explorer.exe 4900 spoolsv.exe 3524 svchost.exe 4612 spoolsv.exe 3524 svchost.exe 2492 explorer.exe 3524 svchost.exe 2492 explorer.exe 3524 svchost.exe 2492 explorer.exe 3524 svchost.exe 2492 explorer.exe 3524 svchost.exe 2492 explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2492 explorer.exe 3524 svchost.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 4900 spoolsv.exe 4900 spoolsv.exe 4900 spoolsv.exe 3524 svchost.exe 3524 svchost.exe 3524 svchost.exe 4612 spoolsv.exe 4612 spoolsv.exe 4612 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4780 wrote to memory of 2492 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 90 PID 4780 wrote to memory of 2492 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 90 PID 4780 wrote to memory of 2492 4780 661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe 90 PID 2492 wrote to memory of 4900 2492 explorer.exe 91 PID 2492 wrote to memory of 4900 2492 explorer.exe 91 PID 2492 wrote to memory of 4900 2492 explorer.exe 91 PID 4900 wrote to memory of 3524 4900 spoolsv.exe 92 PID 4900 wrote to memory of 3524 4900 spoolsv.exe 92 PID 4900 wrote to memory of 3524 4900 spoolsv.exe 92 PID 3524 wrote to memory of 4612 3524 svchost.exe 93 PID 3524 wrote to memory of 4612 3524 svchost.exe 93 PID 3524 wrote to memory of 4612 3524 svchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4612
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:81⤵PID:4668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741KB
MD5d299251a92a9f1e688192c14271845a8
SHA18cda1159983476a5cee4d90b5a288293232ff3ae
SHA2564157bb375651a07eb05a1ca867746510d9b9d8b70bfa79d9ec2667ab5fec5fc3
SHA512987d347dbdb1ffaff4faab06542a8728360af37c46223538c41ba77dfe46717b458670f6e45f29030ac6077785ae654d47c52d6cd3e9e2797ed56e5bbc481328
-
Filesize
741KB
MD50f38854ef769d1fb1918abd4a7bcd2c4
SHA1e951b2fb692ff709d3cb0f2d655b7d8e68cfef3e
SHA2564473a9163c0d2a49df7268198a29f4e041e2fd825c2b5f0efa480d181a84a37d
SHA51268c0a5fcf8fb030d31ba3e70eec56ff3925bdff09ccc11bc962d86596210deba80bbd4f861a1704772cfbef37a5ad886e78a10b822c59e62b396dab23ab8d615
-
Filesize
741KB
MD55fd9b3a35eba1a85c55d7a3e1ceb959a
SHA1c3c11f0af6791739724b4035ae7952b6e6078fbe
SHA256b9125bee209484c518bf79959c760e7268aa3c7f3ae12b94b397f5b403ee01d7
SHA5126cd45bfae2e3f8e0b60e64aca7853e523f06f2561fa00c27eb6d6410d9e09a545202304c850ce31f17ffb698370f83012a57e02eb38ba260d7b8adfbfbce76d3