Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
11/05/2024, 16:04
General
-
Target
18201ab8fea5b6355f397e0f735fa830_NeikiAnalytics.exe
-
Size
66KB
-
MD5
18201ab8fea5b6355f397e0f735fa830
-
SHA1
048e248dcfbec2ad904917b9b55fe1376b09de8b
-
SHA256
3c4e278e34855819d71854f04f4141075bb706d2592d979d3393f81bd5c5244d
-
SHA512
b3438579f16b6e57e1704dbb117aec0a91cdd9e4c1eda7feda4be2f47896009fa4b465f56cfdb897f188106923fb826c5a429ab356984872f6a75bea39f38b24
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXih:IeklMMYJhqezw/pXzH9ih
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18201ab8fea5b6355f397e0f735fa830_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18201ab8fea5b6355f397e0f735fa830_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 16:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 16:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 16:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD58d537168016b5faa2c6255adf2e4144c
SHA1f697cc73ddfcdd12f03b801d81f4780fa2f01dc5
SHA256c8dd57e104fc816262dfaaf52c3c212e26a80e6b23fcb1bd16af4b93467a30b8
SHA51235db0381f50935a77401c9d581460d68789fc6e358f87bf17e360b09135ee2f0eb5ab54ff05e276e9bc3033402187287df963a76960fc9a089407d857ae70270
-
Filesize
66KB
MD502b267e70ef6aff2a60b2f15fe2292a9
SHA1c7eea746ed40076ecef2b214de10c59b3737bb32
SHA256c2049f8e0255badc5c25d4d57fec868bc46dc0ec8a0233545e0b7719046a8954
SHA51237a002c7d118620d91e726f05d4681998796a9bacca7dd3f935632d1831dd26b22be3eeae61c2b1bb8abbebf2f8f87e0b759792a8162dd3fcbf9883b0264b9ee
-
Filesize
66KB
MD57a3a41c9edd79690c551618c80ff90f5
SHA1bb93d9fb6255b6961adde426fac7bb49cdf1a7af
SHA256c7c2896255ad4446ee3d73041877f98e9f16b324b88d1b089160814d8744a46c
SHA512bdecd178cd198691873f705562f01bb289d85e6877a39bcf075336507aa362104584e52b387dfd5c64c7aa24287b612694284eaf961b77879e250a9c28014b64
-
Filesize
66KB
MD5b6ee81051ff8f481fe140dc5132ee25e
SHA1fb9e98a7364f87ee72f033f8473d9a352f77d3e8
SHA256217b3a7dd7def74f9fae92d4fffe0267ade35e7b516a3d5b5be11b1976aa566a
SHA5127b3047f7e7ef941746ca67d446bf9c48b85fe36acf18a06138fe9ed9a0f2fd68f739ffcca490c2b300dc0d34d817d4d7bff6e3b58afade332d54441e7099f59f
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB