Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

39cc45f495...cs.exe

windows7-x64

10

39cc45f495...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe

  • Size

    255KB

  • MD5

    39cc45f4953d41988b920e0d9d7e8090

  • SHA1

    4f1458801d6dff8a1c7ba78f9369a6d35228e592

  • SHA256

    e5b21a143695a868c5dfd2408ef03cd8022b68cdadcfe1a372605896af776662

  • SHA512

    8096e3ac9b0f83e612b2bf1b49ac46809c9497b1e4be2165c3c28711535c2e9f3fd1544b0b5dc6884cd9c6fd73c895be6ce053d41cd5270e3634188e7f08e2ad

  • SSDEEP

    6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIRD:Plf5j6zCNa0xeE3mpD

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 58 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\SysWOW64\yzjqzeeuvm.exe
      yzjqzeeuvm.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\bqovlndo.exe
        C:\Windows\system32\bqovlndo.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2248
    • C:\Windows\SysWOW64\pegdwiofyiqrkrd.exe
      pegdwiofyiqrkrd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1640
    • C:\Windows\SysWOW64\bqovlndo.exe
      bqovlndo.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2644
    • C:\Windows\SysWOW64\aeyqawoshkhjs.exe
      aeyqawoshkhjs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2780
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      b73e662c7ac9136713a9efc1dd9944fb

      SHA1

      eeb69f03ea774f2624968883a44d9ed6cc1f4868

      SHA256

      521a9ca3d4eb98fce22b762b157dcb01d0ae39c86c125d7b0d2cc57270de33a9

      SHA512

      7c4a18a34fcbd36eb51a3ce313d8b493ac3471663e370bebcb7a54372eb7cd0d48c75f7d57658ab3bf9eb93097dd598b09a9f3811026bc3c3987c175aa9bd3d4

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      d0c7a2ffebd3b2e42aa4b0be76aa7b49

      SHA1

      1802a835aa3287e7672e379eb2d61601b061c224

      SHA256

      1f70ac8693599b8cd6279175ca32861bb3007a2480e40665fc88f0a181faae6e

      SHA512

      dd69b75fc88524db1c5202b4380de7a35369f5f3d8663061464584dd8ae907f53f407346cf72e9c28b9ffc04d2100c7613e6721ebfa049df57f2527b6d48fe32

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      4b584bb118f238e487225f0fc45ec8e5

      SHA1

      1ba86c454f686579e0474cfa1dbcc71339cbcac4

      SHA256

      986db765428a6bf99bea25f5223d16634313b6c3f7d6d6b702a1feac29d46789

      SHA512

      680031886e859bdbd9c568f911ac3b8f56c3587abba4fab6f65ce5818f4b47d2bd37cf1c56ffcf783c430df33dac39e7af3f96ed7f8edb7fe4758f8205eaa348

      Download Submit

    • C:\Windows\SysWOW64\aeyqawoshkhjs.exe
      Filesize

      255KB

      MD5

      de1d3cdba6e4d0e967c3a7c2879b478b

      SHA1

      8f9f444ac1ca1f8f019267dee9e49f44fcda1909

      SHA256

      a9c15bc37e4769f4eed4648b5c1af194b7be321ce1f2c0d03737464bce1ea9de

      SHA512

      d69992bab567bca06ba42618613bc9f509d33171b0003b9e61fbc1e19202c6987e10212559acee84afac8b3727cc64fd540ab8d2118ea70e117f566fc0ac51a0

      Download Submit

    • C:\Windows\SysWOW64\bqovlndo.exe
      Filesize

      255KB

      MD5

      a52f52d9f8b7c759c0b9ce5a66a7db64

      SHA1

      ed47924f40eb9244f73948ca287068c510fce6d0

      SHA256

      6cda392e9647067e1b19ffec95e06a630fc8b46a818e2d2c3d6305aba4841046

      SHA512

      3da05a6d525dc1d234e48335c51f3a02b758916cc217cb8d45855e0edc077dabaf2b406d6e5c982931b8cec9e3cb1cb48fddf9b158a8cac15f8171a4cccd0c76

      Download Submit

    • C:\Windows\SysWOW64\pegdwiofyiqrkrd.exe
      Filesize

      255KB

      MD5

      be5f3d27682dc9a32daccb9d69f2da19

      SHA1

      b4fbcae26f47e80ada5afdd307bfd6c4a7bbe9f1

      SHA256

      d4c0a176addac50885fbb60807aec8ae36d1ca7d4d2ecf8db1aea2f15a6559fd

      SHA512

      3a7492f38bb9ddf89b089b102f8533bc8e3963a963cef70a177bfb25ca8d6b2e83026d9d6d5d277c4edb49d1ce592c9a406db88b7df4ea6d2b79ce05bb3cc9f2

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\yzjqzeeuvm.exe
      Filesize

      255KB

      MD5

      5d49b6cc95a4372745b2512856642b97

      SHA1

      ac0a9d7502b1eafac4855a7096e5b2c88eb5487e

      SHA256

      8a28452b9736839de8bf6f62cefc9ef15320798c84294ca9519c0fe5b6408ed4

      SHA512

      690032f895c9b29648f743cdd61c232edf78081e802fb02774992536c67120a480804bc93f0a139f313a7d509081efc2532ec64797d43db05862dacdabcacd44

      Download Submit

    • memory/1640-157-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-120-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-105-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-123-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-98-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-154-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-160-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-38-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-116-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-126-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-90-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-113-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-151-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-129-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1640-163-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-153-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-128-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-150-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-89-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-125-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-156-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-97-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-122-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-45-0x0000000004000000-0x00000000040A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-159-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-104-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-162-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-119-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-26-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-115-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2024-112-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2248-111-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2248-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2248-101-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2248-102-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2248-47-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2248-108-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2548-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2548-149-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2644-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2644-106-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2644-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2644-37-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2644-99-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2644-109-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-124-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-107-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-100-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-127-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-114-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-121-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-152-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-130-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-155-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-164-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-117-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-158-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-161-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2780-41-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3044-32-0x0000000002E80000-0x0000000002F20000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3044-0-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3044-18-0x0000000002E80000-0x0000000002F20000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3044-49-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download