Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe
-
Size
464KB
-
MD5
211561c9e8bdfe05098d6e5bf9e1ae40
-
SHA1
6065bffb3267e5c827d272e16393b6e8fc71d8ed
-
SHA256
3cca823f1bbfca3d84488bc0d50340c33f882ee1c8cfb141d98283935bd5b457
-
SHA512
e35c310414f308cf2914c96f36eeec7a9431f526acb53b20e2dd405a9da9f2f3f8ec918ef9cc718d42457138511633f0c9d1a544b7786db368e0f42d5883a177
-
SSDEEP
12288:Rdlc87eqqV5e+wBV6O+Wl4b8zIM3WDDLXEZ6Yg733I:RdSqqHeVBx1N/GDDUJa34
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4988 backexer.exe 4284 gpupsync.exe 3196 ~3C2E.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diskSTAT = "C:\\Users\\Admin\\AppData\\Roaming\\backeown\\backexer.exe" 211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\gpupsync.exe 211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4988 backexer.exe 4988 backexer.exe 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 4988 backexer.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3476 Explorer.EXE 3476 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3476 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1580 wrote to memory of 4988 1580 211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe 85 PID 1580 wrote to memory of 4988 1580 211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe 85 PID 1580 wrote to memory of 4988 1580 211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe 85 PID 4988 wrote to memory of 3196 4988 backexer.exe 87 PID 4988 wrote to memory of 3196 4988 backexer.exe 87 PID 3196 wrote to memory of 3476 3196 ~3C2E.tmp 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\211561c9e8bdfe05098d6e5bf9e1ae40_NeikiAnalytics.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Roaming\backeown\backexer.exe"C:\Users\Admin\AppData\Roaming\backeown"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\~3C2E.tmp3476 475144 4988 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196
-
-
-
-
C:\Windows\SysWOW64\gpupsync.exeC:\Windows\SysWOW64\gpupsync.exe -s1⤵
- Executes dropped EXE
PID:4284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD586dc243576cf5c7445451af37631eea9
SHA199a81c47c4c02f32c0ab456bfa23c306c7a09bf9
SHA25625d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a
SHA512c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4
-
Filesize
464KB
MD52b64e0fa9cbd3518ab9c324969f878da
SHA193d37f9fa8e928f3226463dbde10944df17a8adb
SHA25695b1ee6a9c93fca98e3047bbdf23b25bf0eb1037b128f92f53bf3509f4cda527
SHA51220ca5be3f676e9503e81b9eaef00e2421f38745d85d8df1994e25653b1b1f569f7181d96b57d3e54535d7fbf58fbf020e20d1f8e9e55214aa99441d3490920de