Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

039acc2b4a...cs.exe

windows7-x64

7

039acc2b4a...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe

  • Size

    479KB

  • MD5

    039acc2b4a02b96bf7b31fe59732b9b0

  • SHA1

    fba2e2e76bee08317ad5b3391e6d35b14c1d8186

  • SHA256

    226252e62d010e001b735dfa5b162d7023611eac1dbcb4193c2555d8af460ecc

  • SHA512

    ce56eb8016e7d945bcefa6096a7a181cb9142b2f703ede3b7a88ca244c51bff87c211eb1be6d6d4117f0707bee4d71050f810baba73265ce1207d76ddc874762

  • SSDEEP

    12288:46lc87eqqV5e+wBV6O+lDOB4A5nT0W5MxsBPbNt46K:46SqqHeVBx9B15nT0W5hBDNtPK

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    PID:3372
    • C:\Users\Admin\AppData\Local\Temp\039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Users\Admin\AppData\Roaming\findayed\clipinst.exe
        "C:\Users\Admin\AppData\Roaming\findayed"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:900
        • C:\Users\Admin\AppData\Local\Temp\~5033.tmp
          3372 490504 900 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3340
  • C:\Windows\SysWOW64\autosfc.exe
    C:\Windows\SysWOW64\autosfc.exe -s
    1⤵
    • Executes dropped EXE
    PID:808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~5033.tmp
    Filesize

    8KB

    MD5

    86dc243576cf5c7445451af37631eea9

    SHA1

    99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

    SHA256

    25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

    SHA512

    c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\findayed\clipinst.exe
    Filesize

    479KB

    MD5

    9e32a3c5a70cd5716a31ecf37a3f024c

    SHA1

    d299b1142fef64a060c5775ba8aaa59ee824d4c7

    SHA256

    3bdec19c528c3fd6a95ca69ef3d160f208e55dfa86b5303a661117b852c9b77d

    SHA512

    cd59ef39e6035e44bb133dd7f3ceb35d5f10411a62f7d9f37d8d17980822e21851771bf0ce02e566e9f5d9e8dcb26cd252d7b9c5bcaad1b4328a2f8d2944e6d2

    Download Submit

  • memory/808-15-0x0000000000560000-0x00000000005E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/808-14-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/900-13-0x0000000000690000-0x0000000000695000-memory.dmp

    Filesize

    20KB

    Download

  • memory/900-7-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/900-8-0x00000000005C0000-0x0000000000640000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3372-27-0x0000000002E50000-0x0000000002E5D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3372-25-0x0000000002EF0000-0x0000000002F77000-memory.dmp

    Filesize

    540KB

    Download

  • memory/3372-18-0x0000000002EF0000-0x0000000002F77000-memory.dmp

    Filesize

    540KB

    Download

  • memory/3372-26-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3940-0-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3940-1-0x00000000006B0000-0x0000000000730000-memory.dmp

    Filesize

    512KB

    Download