Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 01:42

General

  • Target

    3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    3fe2822b1b7fa2aef1cbe21bc11f87d0

  • SHA1

    630ffb82189c542249007064d7f0bb97633a5a64

  • SHA256

    9bd5ab93699abc16600005f25db02a401418d543939b2068042d2f3f7b7c6046

  • SHA512

    240b00e3ea0f9dd42ddbb22daf18246bdcfedc34d3570e7b0bf7f0f5705b09acb8b0626a73247a707d287e43bfa07c9b6129a4efa157ef192fb7ac211dd58408

  • SSDEEP

    1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiZJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIZvtYxOuYotvYQIE

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3100
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4776
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3500
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4168
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4524
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4116
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:544
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    43c17f685d02c3cf58d72bf9e0352b5e

    SHA1

    c58cc90738600f0b27c3efff6625a09a7897c35e

    SHA256

    320a5e8ba2ad3026b05d022f0ddd364a00dfa1de305f8051e8a1485df60825f3

    SHA512

    9b7addafa8886f08bd220fa0b76c889db2c4f79ebfed45efb0c368eaa95d9b14947ae854faa1e149d94b2a9242340611aef4e9118e1066d84eb02724440f7b3c

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    35a870019b70a563fd0dcf0f84643417

    SHA1

    c31e65e9c0ed6bda0c6292997b5a390630badb33

    SHA256

    aa705076f011cf9fe3cb02fc86d4eccf53baec2766c80a26c60fc691147ebd4a

    SHA512

    903ee106eac609d4e5e263c2c63f9ec0a85519d5c001ec38b711b21e74a0d8d7c6bd20b88b5cada5c86b512387d00c3458ffcf9045d20e1876492241f1467be3

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    9b7af175701c740e4fb5f7b31b41826f

    SHA1

    628d14f69a3715c1877940bcea7b58e335e112fa

    SHA256

    54b0234578dd79cb4f2d8c543f0b6e4c8581ca181edf33568335b90cdfa19045

    SHA512

    13ac60eed9619cdfa46a89786b2d1308ca45b06d6814a3febf043022912bebf795692113db04ed8aaee7af8d1d1c3f32ebc28dfe8e26a73dce061c115564efda

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    3fe2822b1b7fa2aef1cbe21bc11f87d0

    SHA1

    630ffb82189c542249007064d7f0bb97633a5a64

    SHA256

    9bd5ab93699abc16600005f25db02a401418d543939b2068042d2f3f7b7c6046

    SHA512

    240b00e3ea0f9dd42ddbb22daf18246bdcfedc34d3570e7b0bf7f0f5705b09acb8b0626a73247a707d287e43bfa07c9b6129a4efa157ef192fb7ac211dd58408

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    03842b19d9d4fa8a72f7a268e43febb2

    SHA1

    b4834378f1fce36d3df8255f035aaf0a59de2ef7

    SHA256

    d419a0c1e5a9f46f4b51be59d310da7f1960deaf31c8017f05b7187cbf32e56d

    SHA512

    afafb50933de52617118126b620bcdc6d190214005bfaf2120de968fa7c41618d4c2285820e5408a14c2b6c1355be34cba6bdd0454766744a851860df1681c4c

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    3d45aca626e40704d07b961e4d27bea2

    SHA1

    5661ab4c25b1802b7663d9fe42f435827131e8a6

    SHA256

    5187bfd116d342caf83a48b02a7aff8b17f6fa25a18259de0340e23da8d00fc9

    SHA512

    3763293a6cae8e2e071ab8fa178489b437df5d007f6cd633c9f73f42fe2455f20c0b30689f55fc732cc77304b37133125f3505dff382e0847ee5a88cb451cf4a

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    9f4e727973abc5f0b7cd1a41f7bc00bb

    SHA1

    84eeb8fc9608f8b95ede5a41ea6f23fb35858d5a

    SHA256

    f6b19ef89f5c77d82fd4cbccf606c12eb71e338e440d52d667ee5353836f5fb4

    SHA512

    b9dcea93c04ad31240ca5ed2dbb35df5269aaaa8ab685bfd083adfb8bbf00038eeb66e463d876898859e78eea3039e7b37069bf9725d3b6a5aec97730921a848

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    961fe6b44e94cb317c454203ea857e47

    SHA1

    7c9785010eef9462305e16f80f69606368ff52f6

    SHA256

    e7a31c087016026eaffd588ec0ded6baa992a8de2a4ea50525e6fd55e2cec880

    SHA512

    6df722c33719f874e6fb23e49035d9b654bf1b66278e08d9bc6a1bcf283db59dab6f1cb826bcff5e52576b04d6dcca25d4731373a88b27a6d980652114dd0d23

  • memory/544-145-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/544-141-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1400-151-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3100-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3100-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3500-119-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4116-137-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4168-124-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4524-130-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4776-112-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB