Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe
-
Size
73KB
-
MD5
08b59a2530347762679540c34c0897e0
-
SHA1
8aeb88f9c34c4fd94c6e77e9df8b711d7dc69c2e
-
SHA256
f9d531c05db2f6af8d41de417a73dd8d4f44df658a6390d19081d1b0139842f4
-
SHA512
f10c30563008a57b9ba287766d4cc160ba5e72b67fa237835e0a28e60281fe3fb3b177eb8848e1c17c2e0e4eb88b48c4205a5e400c01d6fb50a884461d5d6e81
-
SSDEEP
1536:xDytoYTXnoFxGjYUsWIYUzubBMiIt4S/7SCEZQcRKCO9VYQKKKuNTQrA:eFTh9MiW4euTQcIVVYHeNs0
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ipkeamem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ipkeamem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ipkeamem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ipkeamem.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858} ipkeamem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ipkeamem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\IsInstalled = "1" ipkeamem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\StubPath = "C:\\Windows\\system32\\amcinat-ecix.exe" ipkeamem.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ipkeamem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ipkeamem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\opgigat.exe" ipkeamem.exe -
Executes dropped EXE 2 IoCs
pid Process 2208 ipkeamem.exe 3020 ipkeamem.exe -
Loads dropped DLL 3 IoCs
pid Process 2184 08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe 2184 08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe 2208 ipkeamem.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ipkeamem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ipkeamem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ipkeamem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ipkeamem.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ipkeamem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ipkeamem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ipkeamem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ipkeamem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oxfepeac-ador.dll" ipkeamem.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\oxfepeac-ador.dll ipkeamem.exe File opened for modification C:\Windows\SysWOW64\ipkeamem.exe ipkeamem.exe File opened for modification C:\Windows\SysWOW64\amcinat-ecix.exe ipkeamem.exe File created C:\Windows\SysWOW64\amcinat-ecix.exe ipkeamem.exe File opened for modification C:\Windows\SysWOW64\opgigat.exe ipkeamem.exe File created C:\Windows\SysWOW64\opgigat.exe ipkeamem.exe File created C:\Windows\SysWOW64\oxfepeac-ador.dll ipkeamem.exe File opened for modification C:\Windows\SysWOW64\ipkeamem.exe 08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\ipkeamem.exe 08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 3020 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe 2208 ipkeamem.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2208 ipkeamem.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2208 2184 08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe 28 PID 2184 wrote to memory of 2208 2184 08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe 28 PID 2184 wrote to memory of 2208 2184 08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe 28 PID 2184 wrote to memory of 2208 2184 08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 436 2208 ipkeamem.exe 5 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 3020 2208 ipkeamem.exe 29 PID 2208 wrote to memory of 3020 2208 ipkeamem.exe 29 PID 2208 wrote to memory of 3020 2208 ipkeamem.exe 29 PID 2208 wrote to memory of 3020 2208 ipkeamem.exe 29 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21 PID 2208 wrote to memory of 1196 2208 ipkeamem.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\08b59a2530347762679540c34c0897e0_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\ipkeamem.exe"C:\Windows\SysWOW64\ipkeamem.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\ipkeamem.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5a0f442a6d5457d79916239d28ff95f51
SHA10c74d4a573a1459df2b70fb3ed5187bb20e3c7a8
SHA256e470d2e75300f75a79f554f58d6d8f576a95b8311d5d9511e107654bf47364c9
SHA5120cca1ba2e3db912bf15f3f5425459ca7a7a1f0a903a801e7a59fcf13582f45b0c20665271092d0de93c0b517dc1546bede52e04ceed07053cd806172e8f1363f
-
Filesize
74KB
MD548cb5ac8551248f5e084b625f16c8c13
SHA1b9fb4a25217bef278492cd50a5f547c8267c3be4
SHA256dcca36da856f880dd8b1c1b755cf65b329f538f52ea600972a966ee759dafb85
SHA512a0e1cb78fc4b707d4e47eb1d880a9db409818733a1ed2b07aa4da7c814e1905cffd62597802bdd9b18d3f9d8fc331d32b0a456b6592633b319ac4206dbd84b4a
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
70KB
MD5acf2ffdb99b8e15846323ec126bd5c81
SHA19598ec82376a536677dc1ef3f4772a3a4e5bb72f
SHA2562da5c35747cb83664bc43743c8ce4bd4e21f8dda982d58bc2d3fb8df2a3adb2d
SHA51267de914bb3f8f5673fa48becc1c40c98865f950729a7d9fa936d03451b5ef5e3b1596fb0e7bba766a3ecd00130d9605a83bfd480b12026cf5b6e855607847003