Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10/05/2024, 00:47
General
-
Target
3277a8923a3cf1d4fae5a7a267b75100_NeikiAnalytics.exe
-
Size
2.5MB
-
MD5
3277a8923a3cf1d4fae5a7a267b75100
-
SHA1
488d8ecdec6f65c69351536cd6c8fe966a547f4d
-
SHA256
30472889c5eb89189482b00e2730949b690694351021b4a089e296c23812763c
-
SHA512
babacc9d98608105070ee7af18c900f507ba122ce5caade7dfe833609f56198f652cc7a3528c2bfb5be0c51808815aa8430d6e5294c7b3ba8d8309426ad966f2
-
SSDEEP
49152:OO3HZohCbTCJ1J9xKCnFnQXBbrtgb/iQvu0UHOag4:OO3ZohC6JRxvWbrtUTrUHOW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\3277a8923a3cf1d4fae5a7a267b75100_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3277a8923a3cf1d4fae5a7a267b75100_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\@AE41CC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\@AE41CC.tmp.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"6⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "7⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 22248⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "9⤵
-
C:\Users\Admin\AppData\Local\Temp\wtmps.exe"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\mscaps.exe"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe11⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3277a8923a3cf1d4fae5a7a267b75100_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3277a8923a3cf1d4fae5a7a267b75100_NeikiAnalytics.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5f8202d4b8605a69090e591dc7bb4588a
SHA1a16d30663dc94c5b938ff2f598308ef4746d2cb2
SHA25628fb69b8ade9e641f2933edcc6ad38567d862dee263cdf90b2cbe237bd96561b
SHA51206bf46b3b93a1e16e70384cfaef6c92ac37c80a8513bdeabfe8c928b20a3cb2897d217d5a6ab67da8df26f7256dfa22d65ed732263f154f86985963d65ff5826
-
Filesize
640KB
MD590f7904904d665d6690d078f11e6f9a6
SHA110a51c75307d43bcb0a98915e14e6989b306397a
SHA256c55d0ad235b1424b59714cafd40128321297ffca38880b906849a0988c083a19
SHA512919e764e281e88ad3b86fc5b845156927ba0c2626fd4171df85432d9afbc781cd0c5fbf5c012371122e2d18b6e726e72fa43c884c7081fa2f132331e9565a353
-
Filesize
406B
MD537512bcc96b2c0c0cf0ad1ed8cfae5cd
SHA1edf7f17ce28e1c4c82207cab8ca77f2056ea545c
SHA25627e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f
SHA5126d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641
-
Filesize
1.8MB
MD5dfe6381b7a8bc3f0b88196adfc513855
SHA16ccb458ae2af88568232876e4ba0cb9654ac4784
SHA256d0664e05350fd32ec74c433b7b9c2c18a602ceeb147d05458bd361429e52faee
SHA5127db0b0435fbd9a22c03ffdb0efa67a67b5741687ff7f169f971a44ff6feede93b3469a66104ab866c0d174c438d8e68c9766eecfca8fa64f2e2612966f477b68
-
Filesize
229KB
MD56f90e1169d19dfde14d6f753f06c862b
SHA1e9bca93c68d7df73d000f4a6e6eb73a343682ac5
SHA25670a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc
SHA512f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3
-
Filesize
120KB
MD5f558c76b0376af9273717fa24d99ebbf
SHA1f84bcece5c6138b62ef94e9d668cf26178ee14cc
SHA25601631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a
SHA5122092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d
-
Filesize
126KB
MD502ae22335713a8f6d6adf80bf418202b
SHA14c40c11f43df761b92a5745f85a799db7b389215
SHA256ae5697f849fa48db6d3d13455c224fcf6ceb0602a1e8ac443e211dd0f32d50f4
SHA512727d16102bfc768535b52a37e4e7b5d894f5daa268d220df108382c36dcce063afdbc31fd495a7a61305263ec4cd7e92713d894faa35b585c0b379217a1d929c
-
Filesize
89KB
MD509203a9741b91f3a9ed01c82dcb8778d
SHA113e6f3fb169cd6aa5e4d450417a7e15665a2e140
SHA25663149ad45db380f5dd15f65d9ceb2611d53a0a66e022483bee4ce2ff7d2610e2
SHA5129e9e6fe0dd713417d0e28ba787cf862d55ecda9ee9f3df1eada144657f6a3b6ada1984fd05a3fffcd597a9715383225a8e40b6e5d0d8d39ec0d3a64b8dea9846
-
Filesize
99KB
MD59a27bfb55dd768ae81ca8716db2da343
SHA155da0f4282bd838f72f435a5d4d24ac15b04482b
SHA2565ec8093ef5939d1abce1c576097b584fb600b94ad767c1da897f7cb7f0063d26
SHA512d9bb49d2f282ed09c351a1d8eb2540781e6a7fb39265473fd59d146bfc162f27a4ab1405301ed7395c12929a80551a399437d7d794d7ac48650e9037b60eb69c
-
Filesize
172KB
MD5a3d7b68a2207aa1592708a660032f4a4
SHA1e1e19ac444693217091ac2b465172e473a9cfe99
SHA256d070d456cce2bc866cd8005d4f9c24c35c946beadb50b19686765d43bdd77a5c
SHA5122822a90b33a99be1e34a0f58c598bebac506a2cadad2e7edf4e6eefd049847069a22fc5f032519a86c63d9daa1b7bcc3730872b5fc63bf7850063d1853010b3e
-
Filesize
276KB
MD5727d249fde8c7eaf5c6edb7e1a66a132
SHA11edf420c80c5ee1997e4a2c1f42a7be1b259799c
SHA256a188a969de50b46195088581c04db89ecb3ae129a1d48f92a6f0278b69e12a27
SHA512e9837bd462fcdb18ad54acf0982c3fe5e8f1acc6f90f92e632c58ee3df8063cc861655e14477713a4b8febb9f5f79bf069ae2bb788be401af3b2b15692ab621b
-
Filesize
276KB
MD575c1467042b38332d1ea0298f29fb592
SHA1f92ea770c2ddb04cf0d20914578e4c482328f0f8
SHA2563b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373
SHA5125c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0
-
Filesize
172KB
MD5daac1781c9d22f5743ade0cb41feaebf
SHA1e2549eeeea42a6892b89d354498fcaa8ffd9cac4
SHA2566a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c
SHA512190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160
-
Filesize
1.8MB
MD577ace13b21b78b9275b0d603c0d7f8a1
SHA124feb658ef888faab0174842dd7c77bf2e9863ac
SHA2561501bcef84a663e5361cef27fb2a24855c1ebf290a28b3ff1815064fc2559b08
SHA5129b9ea71e5bfe985d6cdea5ff596f546de9a59d5b352ce01c21d9be9a6d2e4a8f0c9622090fe1526b46d6e59cb6b8c708b0118fab90a4d4ba7a40feec5c5104bc
-
Filesize
129B
MD5d1073c9b34d1bbd570928734aacff6a5
SHA178714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA5124f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f
-
Filesize
126B
MD5d9365b9080f601be34f0a25d0addab20
SHA157c6106e32a0618da370b654cb9c935b0b00cf9a
SHA2567364dc1da2bc88c99d4f1049bf08e971b98490df78bb040514a7cc14a7292345
SHA5122cffab2fc380c0b1505a6c5111323edbb96fb44b95f53580c547b90553c6ae5a8f3fb92198d1f3832418cdc4b2500bfdfbefb9a9dd42ec8d5e5cf206f554d30e
-
Filesize
196B
MD5b08e765823b387c839b8e0d7b97dc7e0
SHA1d7ca87a3ff3c006caa5c4755ee80229f1562f1dd
SHA256224b158feb285a6ba11043429abadba6dcdc541d6267cf9e1d657db24c1f02c2
SHA512b12ffcdcfc5441348ebb402097faaf3ddff1331219020a7c7d710e1b097de182a1b0fde771f5acb9e9145cf4926e3e5c16f6610a4d0363e6410984217458cdf1
-
Filesize
102B
MD53ca08f080a7a28416774d80552d4aa08
SHA10b5f0ba641204b27adac4140fd45dce4390dbf24
SHA2564e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0
SHA5120c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01
-
Filesize
388KB
MD58d7db101a7211fe3309dc4dc8cf2dd0a
SHA16c2781eadf53b3742d16dab2f164baf813f7ac85
SHA25693db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a
SHA5128b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83
-
Filesize
256B
MD5c4f5e3164ef65a45d306ea8d90e1b2dd
SHA1d66c1e802970d0f7734329b5c47974869941c0b9
SHA2567019beb10db8e35ad2bcba7cd292adfab0baac5efce74718420e2da54b11e30e
SHA5120de018ae50ff57605b1b0250811504e16adb48761ed47c426ad6108ef014a55e646db0c2383891e16d4c70dca8e27ea235b3b5cd59a1216a254cdcc3be4f5270
-
Filesize
200KB
MD578d3c8705f8baf7d34e6a6737d1cfa18
SHA19f09e248a29311dbeefae9d85937b13da042a010
SHA2562c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905
SHA5129a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609
-
Filesize
84KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
304KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
304KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
84KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
304KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
304KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
664KB
-
Filesize
664KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
664KB