Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

0b9233f1de...cs.exe

windows7-x64

8

0b9233f1de...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/05/2024, 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe

  • Size

    60KB

  • MD5

    0b9233f1de711561e8c0c4058c378ef0

  • SHA1

    8d5cef2819752ef9fb19bf7068c0e24190a386e2

  • SHA256

    d887e27b8ac8a61826803d518d93e3c64a0a40a1b55b5bf98431f28c25a94f16

  • SHA512

    a12d8ed8daf4430c926b2ae5ade6fc7605a87d2041d0aa4ae72dbda073f1bde93e2f8a864547e73c1f96af00b56560fde0757abfb4932de9e60dc9bd2198d42a

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroLk4/CFsrdHWMZ:vvw9816vhKQLroLk4/wQpWMZ

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\{2F89E1C7-5298-4329-9565-049FCAD424CD}.exe
      C:\Windows\{2F89E1C7-5298-4329-9565-049FCAD424CD}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Windows\{49223627-76D1-4052-A230-E5CCB79B18B6}.exe
        C:\Windows\{49223627-76D1-4052-A230-E5CCB79B18B6}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3692
        • C:\Windows\{CAEC71B9-C282-467c-8DF1-E8F2ADF01F01}.exe
          C:\Windows\{CAEC71B9-C282-467c-8DF1-E8F2ADF01F01}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          PID:4844
          • C:\Windows\{ED57DACD-3EDE-4657-8676-9EC159AB0AA6}.exe
            C:\Windows\{ED57DACD-3EDE-4657-8676-9EC159AB0AA6}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4804
            • C:\Windows\{BB908DA3-F1EB-43a4-9895-9150AAB52261}.exe
              C:\Windows\{BB908DA3-F1EB-43a4-9895-9150AAB52261}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:448
              • C:\Windows\{2A969C7D-AB65-4cb0-BFFA-1ACC7F1FB3A0}.exe
                C:\Windows\{2A969C7D-AB65-4cb0-BFFA-1ACC7F1FB3A0}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3688
                • C:\Windows\{94F20C41-9FAF-4cfb-A663-683686736BFD}.exe
                  C:\Windows\{94F20C41-9FAF-4cfb-A663-683686736BFD}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2996
                  • C:\Windows\{891BB9F6-8B5E-4505-95F3-FA9FD883A736}.exe
                    C:\Windows\{891BB9F6-8B5E-4505-95F3-FA9FD883A736}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1172
                    • C:\Windows\{DA6B5820-F9AB-482a-819F-A083C0FE470B}.exe
                      C:\Windows\{DA6B5820-F9AB-482a-819F-A083C0FE470B}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3060
                      • C:\Windows\{C84948AA-7CD3-45b0-AE89-7C9777B0736A}.exe
                        C:\Windows\{C84948AA-7CD3-45b0-AE89-7C9777B0736A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4408
                        • C:\Windows\{549BD1EB-0094-4d5d-B3B7-CA76D4751CBA}.exe
                          C:\Windows\{549BD1EB-0094-4d5d-B3B7-CA76D4751CBA}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4560
                          • C:\Windows\{913309D4-C990-43eb-B14D-CE96B1539684}.exe
                            C:\Windows\{913309D4-C990-43eb-B14D-CE96B1539684}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:1540
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{549BD~1.EXE > nul
                            13⤵
                              PID:4736
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C8494~1.EXE > nul
                            12⤵
                              PID:388
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DA6B5~1.EXE > nul
                            11⤵
                              PID:5080
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{891BB~1.EXE > nul
                            10⤵
                              PID:2308
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{94F20~1.EXE > nul
                            9⤵
                              PID:5108
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2A969~1.EXE > nul
                            8⤵
                              PID:4896
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BB908~1.EXE > nul
                            7⤵
                              PID:4632
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{ED57D~1.EXE > nul
                            6⤵
                              PID:3260
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CAEC7~1.EXE > nul
                            5⤵
                              PID:5060
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{49223~1.EXE > nul
                            4⤵
                              PID:4424
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2F89E~1.EXE > nul
                            3⤵
                              PID:3900
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0B9233~1.EXE > nul
                            2⤵
                              PID:4924

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{2A969C7D-AB65-4cb0-BFFA-1ACC7F1FB3A0}.exe
                            Filesize

                            60KB

                            MD5

                            1f338d30ecb32e64bb5af41dda43e88d

                            SHA1

                            5218d5deb73d9229f33f8895f0cfc4f238cf1f2e

                            SHA256

                            c6e2f13a2da29e8e7e2af90bf098e8bc76f42048b8c84abda75666dbce23fed7

                            SHA512

                            76f0a404cf2162b3fa98c428a7bee10e1103a34ef551e95a5cffe3dc70d08e3b1878c85684e13383c642e3fec4554efdc63d923701e8f2544bf1a34c321aeae6

                            Download Submit

                          • C:\Windows\{2F89E1C7-5298-4329-9565-049FCAD424CD}.exe
                            Filesize

                            60KB

                            MD5

                            ad775fb0d9e4097e22d64f72bd1fcf80

                            SHA1

                            ffe2654805028b189d660df0da8b82079c2b7465

                            SHA256

                            ef240044b7463a92b62e09185f59d82c58eb756a44928d9679e2bba88e22b1b0

                            SHA512

                            2f62251299bfb45521e1b0a5977489124178391a5018922bc59080674477a4474a49997e4c84b94b6c5cd86c9f64fc41f158e64061d8c3d3083753264a4fe696

                            Download Submit

                          • C:\Windows\{49223627-76D1-4052-A230-E5CCB79B18B6}.exe
                            Filesize

                            60KB

                            MD5

                            885d2ac3bb57bd8d995c33ea3f4e1bee

                            SHA1

                            1b22efd9714d1641163ae241490c7efd88314633

                            SHA256

                            a5207600748a9dd505368afa7ac9279fc65dd916e0750f3f19f5fa8bece50e39

                            SHA512

                            67b2bdec679f4a94372337bf53be02caa45cd0462bedf30fb959b24c0576afb17afa737791f8298b425b2d6fc7e8c3cf014beb16b477c4582b0cc11f6cc2ce9a

                            Download Submit

                          • C:\Windows\{549BD1EB-0094-4d5d-B3B7-CA76D4751CBA}.exe
                            Filesize

                            60KB

                            MD5

                            10c9a87e46b5670438bd8acdc6ddf41d

                            SHA1

                            0bb4b07e9ed7ae81a1e088ab5bd11c3ca7b25a6e

                            SHA256

                            6a2cee7424c7da653a65ea87b547eba0cca9f73d37fb465705d6724438b642b0

                            SHA512

                            5e1cac17ce4e691c18d7d6933757e27cbab2fdb88bfbf975928d9a4bb6edf3c481479033bcfb72d9e7c8f1470ea3be9e5aadb962f5a7d9b94668b787637c3cea

                            Download Submit

                          • C:\Windows\{891BB9F6-8B5E-4505-95F3-FA9FD883A736}.exe
                            Filesize

                            60KB

                            MD5

                            f54b38dbaefa9c266a1ca052c9319315

                            SHA1

                            44dfc29bc0589e3b7d3409c05a605e07b46b0570

                            SHA256

                            37436474d6de60fbf187417a74fb548be98530e2d162bea856cecd478e52fdf5

                            SHA512

                            0f1ac39905eca4a20711ea1d5e74562221e5a4205acf59cb995c4e208c27cc40d41777d3c780e5bf64aff101cb44be2b605250bb9c197bb0dd2bb0a5ad45575a

                            Download Submit

                          • C:\Windows\{913309D4-C990-43eb-B14D-CE96B1539684}.exe
                            Filesize

                            60KB

                            MD5

                            3451797b91b157b2a55e5b583e32b5a9

                            SHA1

                            02b52dad9db6444abf2a703cbc95edf03e6abf30

                            SHA256

                            2f3eee7a650e8ec517e6193c95bcd62c494bd5cf8b70cafca1cc968e06f16398

                            SHA512

                            8ebf071509dd31251f024392666507597b1e088cf981189535d936b1abec853945fdcf27e501d3f2bf991ec1ebc70e1411cac62983ed160df2875c4a485e1d73

                            Download Submit

                          • C:\Windows\{94F20C41-9FAF-4cfb-A663-683686736BFD}.exe
                            Filesize

                            60KB

                            MD5

                            fa4e800c612b91040452735711c7d557

                            SHA1

                            5aa185b4648b6ad7952a72debfc0681efbb5e115

                            SHA256

                            760f85f924d3ccc63af9fdae5b58936cb884d8a7540593f6c9bc96149abc4083

                            SHA512

                            a4a562ab194bd482470d6adca8acb3dfd80ebef5a8655cec058dd3aafee2dacaa47d90dd6fe21e39035b3688c0a1721920c17b63f6ffe0933d5cda7e23945897

                            Download Submit

                          • C:\Windows\{BB908DA3-F1EB-43a4-9895-9150AAB52261}.exe
                            Filesize

                            60KB

                            MD5

                            eb9b79efb9dc7babf3e2364e89d5491b

                            SHA1

                            43eeff30fc4c573bf33424223f93879dfe57a072

                            SHA256

                            34b972397ce803cf3a1a5789cf0b4eb1caa70a4a529c9d7e8197b833af8cb1ff

                            SHA512

                            2150ae032343df8ccaee6a1201131b05b93a2bfc85d710b0891918d850043952e4524d050dc9c9fb2500cb25aaa8691f2e14a879014a8abbd693bf91cae5b2d5

                            Download Submit

                          • C:\Windows\{C84948AA-7CD3-45b0-AE89-7C9777B0736A}.exe
                            Filesize

                            60KB

                            MD5

                            0956df7b40458d00d5c538547b89b29e

                            SHA1

                            13f1c02154007fa3e44e1b5b1d9dc86f58cfaee2

                            SHA256

                            f99244c9248e453fcefaf5d3295da3ff21474d5cdab319ab94d2f84773a662bb

                            SHA512

                            21a003830c8b3a82ac59b570e3f3617df3b1fd036376f8349bf4c6e2de48b32c2ac76fc6b535c13e583f726b4de60699ac5f9fce8326464bf58f8561b9351fbe

                            Download Submit

                          • C:\Windows\{CAEC71B9-C282-467c-8DF1-E8F2ADF01F01}.exe
                            Filesize

                            60KB

                            MD5

                            abf3a78611a9d0bd092d03bfab66e014

                            SHA1

                            0782c30ab264445a5b4e04a1c930842f54f38c6d

                            SHA256

                            e5a4fd8c41ec8faca7e896f8653dccd08098c6fdf80d9f3f3882c49f466ed83c

                            SHA512

                            f466d8c2181d1c1f441143d6ec1b5afc830c8134fbcbdcf8f83c384aab0bbb6f9e43f7dc7fcc14c7e88c21aa581dd84dde3c0e4c61e1a6770808a48201ff67af

                            Download Submit

                          • C:\Windows\{DA6B5820-F9AB-482a-819F-A083C0FE470B}.exe
                            Filesize

                            60KB

                            MD5

                            1a3a9d6ad922a7efbbc544d2e3eb7da4

                            SHA1

                            3921fd108fd6592b783fcb6969e04efb6bc3a881

                            SHA256

                            7a85fa39882284572e4c0ba46d2db3bededf89e8483efb5eb55ccd13aa1f458b

                            SHA512

                            247eaf1fb4a8d828c94e5820622da8fa9e77a11ccee1497f3b38d804c91336fa0d23da0a7d44b47d067a2c0d7d5c50b95c45c9768dca5abbaffcf224ca10c01d

                            Download Submit