Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

18201ab8fe...cs.exe

windows7-x64

10

18201ab8fe...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18201ab8fea5b6355f397e0f735fa830_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    18201ab8fea5b6355f397e0f735fa830

  • SHA1

    048e248dcfbec2ad904917b9b55fe1376b09de8b

  • SHA256

    3c4e278e34855819d71854f04f4141075bb706d2592d979d3393f81bd5c5244d

  • SHA512

    b3438579f16b6e57e1704dbb117aec0a91cdd9e4c1eda7feda4be2f47896009fa4b465f56cfdb897f188106923fb826c5a429ab356984872f6a75bea39f38b24

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXih:IeklMMYJhqezw/pXzH9ih

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18201ab8fea5b6355f397e0f735fa830_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\18201ab8fea5b6355f397e0f735fa830_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2872
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2992
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1464
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1688
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1972
          • C:\Windows\SysWOW64\at.exe
            at 16:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1808
            • C:\Windows\SysWOW64\at.exe
              at 16:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3828
              • C:\Windows\SysWOW64\at.exe
                at 16:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1444

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          91106c9193b71cb550232844e7ac12f5

          SHA1

          dbb7f7220f8fffa56b58f7e7400ee501e5cd978f

          SHA256

          1bc4e4137e4d873ef0ed9f11b02133b054c3825746744ac28ac4d2fae452caba

          SHA512

          cd7aca6f02d9f2b31fd522e86fcb7a773b0552d5b3564074bff357efb1f909875a18c6c68e9f925daebffc72cadfc7ee6ea7773b83ba9ec9529803cef5b2af07

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          67977badeb47c28f6c3b41c698a58f45

          SHA1

          7ba5a97f1904780fbf7dae416fee933ad143c7de

          SHA256

          f24cb0d4554a82861112598c7de94400596eb8ee8cc50b91f6f20cfecfdab4a2

          SHA512

          708b1662ca512a11ecfad5721f9559e39ff87f146606fd24a96c82a6f623042586f9f77876e794bd3c551999dbcc666b3abe72293428b58c5ea1db8706ddaa5c

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          fd6b0ede4876a8f9127dcfbcc3b6920b

          SHA1

          e943fe5e78cac4da53e06fabda3f06f84a8f7527

          SHA256

          3b7a6cc668fbcce660155224322777fc045b2190611ddd15e438674b284d37b9

          SHA512

          1d5692a24150a3d251b1624d0b3c051fecdeffb906bfcd9dced06e95463e28f30c1e830ab96884a8cb4031c751999f678f97706e20e45282bb22092918c3a964

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          66KB

          MD5

          0b8279ab7ec617734f4b463ca65d9c1d

          SHA1

          e3e5f9a167b8c4f4cbb0430aec457908d100c409

          SHA256

          11cfbaf809cda76ee1d78e1c5b37656190a8e0b52f569925210920f222865366

          SHA512

          8b37b2c5dbe7928b26e927a98d8a1882ef16949aadded09d25c34a45198b73100838eda7f0fed1930f439903bf2a28e21d13aaa712674f6265dcdeea1ce3cad1

          Download Submit

        • memory/1464-26-0x00000000753E0000-0x000000007553D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1464-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1464-25-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1688-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1688-40-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1688-36-0x00000000753E0000-0x000000007553D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1972-43-0x00000000753E0000-0x000000007553D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1972-49-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2872-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2872-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2872-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2872-56-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2872-55-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2872-2-0x00000000753E0000-0x000000007553D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2872-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2872-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2992-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2992-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2992-14-0x00000000753E0000-0x000000007553D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2992-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2992-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download