Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 22:04
Behavioral task
behavioral1
Sample
14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe
-
Size
256KB
-
MD5
14085d347cd35d5d9a6480fc0f82cdc0
-
SHA1
f03c871cb7971dce8f1740bf618f99e0394a028d
-
SHA256
ab61e705c84f9b40dce7c345872c140e24bdebc5818a11470b788a7142b5de3c
-
SHA512
8b23b02d19f2b598ddae417f9da800975c7a11cd54aab5a50054a8a6b51611bab68c784ad1c485e5441e2d49fad68d6092d825dc5a43f650f847f5898fbed4a8
-
SSDEEP
6144:FDLQxoyQ1LpnFyZ+dayL9rvolH8u3ZhGod:1QCyQ1LHk+zR7QHjGo
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\system32\drivers\etc\hosts 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 2624 cmd.exe -
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x000000000048C000-memory.dmp vmprotect behavioral1/memory/2188-1-0x0000000000400000-0x000000000048C000-memory.dmp vmprotect behavioral1/memory/2188-19-0x0000000000400000-0x000000000048C000-memory.dmp vmprotect behavioral1/files/0x000c000000016103-21.dat vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2637.cn/?56" 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2188 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe Token: SeShutdownPrivilege 2196 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe 2196 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2196 2188 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2196 2188 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2196 2188 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2196 2188 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2624 2188 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe 29 PID 2188 wrote to memory of 2624 2188 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe 29 PID 2188 wrote to memory of 2624 2188 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe 29 PID 2188 wrote to memory of 2624 2188 14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\14085d347cd35d5d9a6480fc0f82cdc0_NeikiAnalytics.exe"1⤵
- Drops file in Drivers directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2196
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat2⤵
- Deletes itself
PID:2624
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5c4d409152a4346268d4fe6e651915c29
SHA1ba64729016309866142158616d3f685023ab6c73
SHA2567229ffc6e7950a37f4cb51ff5e78a30fa53ef1b14723c6a629e550869411c1f2
SHA51246fe8499a828dfc90ed6fe29192048940358fdbaaa4ad18015be79540ee8a01da01d865d16ff0d0f6b2282f236992694c92580f551b555a05be3d59e5a71c6bd
-
Filesize
337B
MD5ec5ec017408677bcd4e09b8f76420dc8
SHA173c4a367d409744f8e205dd486f637e8f32ac0be
SHA256f804df1d10eb132f588011c00e11122f399a0f5c73e9f061f617d733fb164f1b
SHA5122b81cde5910afdf835bbfb28a711145227cb7ad3403c79bea7eecea3c385d42064fd50819339cfd9443e902e165b61e0bfbe177817b3e69fe13e44ef5848830c
-
Filesize
2KB
MD5a1d921556cf3a3d9d26b2ef002a7f87e
SHA16d35761aa3c8d24ab25db1d6a6e8a964bebd7121
SHA256be7dfb47e11615f6b0cda24d8d568fccb6cea492112f723b8784ee26cbe5d309
SHA512282607c9fc123c57dff829e728c4b08fe7fa27a130903907856127c9aec7d7f2c83c8e6d812208291c495cf25af195404d9010391cf53fcd12f2647475acc049