Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 21:37

General

  • Target

    208cc46a095afe8c984556cec3097ec0_NeikiAnalytics.exe

  • Size

    211KB

  • MD5

    208cc46a095afe8c984556cec3097ec0

  • SHA1

    91d38e6348fabd7c1c901f9c871f1a94a4cdb1c4

  • SHA256

    dc744862f33f7a231e99f67613748cf475337ab8cbc8a7b6cc02ce14c27e01a1

  • SHA512

    c00287d33a39fc7ead37c3672fbd05943db37ac189b9eeaf39c35a1e701d9f9058559796ba098077a48b62eff396adbe869bb53ce471c233ced4d145ae8d246e

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOi:Jh8cBzHLRMpZ4d1Zi

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\208cc46a095afe8c984556cec3097ec0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\208cc46a095afe8c984556cec3097ec0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2196
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2876
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2484
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2648
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe

    Filesize

    211KB

    MD5

    96136c46bf3d92654fc1150fda3ab790

    SHA1

    4332e0feb6dd02c030816b52b711f111acbda3ac

    SHA256

    04427da1f7ca046475a4b3b1d9cad859101c0ab9181b371a578375b35932be3f

    SHA512

    6fb703172373b0255f2adeacaeb7d6236c6c525bf1aa7dc30274d238e48f33b4f8a31ee2ac96028608b898784b1e1015a8dda7a59050632a58ec1c01f44395eb

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    1a201872c87a6b933ee0002758ae5ea2

    SHA1

    87b15e427f34fda6c60d642f156e810278b4b244

    SHA256

    3efb06d11fe6f25d3ed5b47aabd665ff5ac6f457068c98b0fe3b6dcb44d519a8

    SHA512

    8826c626ea0d9a17c5aa14021c53e499a0edb700429161391a7f003c69cb7783637e1d248d27366a13bd68a1ee2662d63a2aeb3b3d68f22236df187905eb5fdf

  • C:\Windows\swchost.exe

    Filesize

    211KB

    MD5

    5baae77e6cc20029d4524b346f3101d6

    SHA1

    999b5fca061a470bd6ad2694624663133afa5366

    SHA256

    85a4cae8038cfe9617585cfd13104f356062169843f5d6945900caede8cdaa33

    SHA512

    c3c55e6961fcd54dafffe6e9b4194b0a3f0edc74942c1562e0335adf01aabdcd0665016c121cb5acab156fff6d84e99064edf68f11eef093167853ec8676885d

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    54889cea02cbf6e572f2c848bbdcf442

    SHA1

    f2a8e5bda3c2c7d3bcd93ceb50b8e00bca440c29

    SHA256

    9194fbfb47ee3176559e97f691dc7da35f440e9996bac44649dc0554291200f6

    SHA512

    6937600ce93bb1e9e71bfa4b714308c0b944c99d3f22ab2459baff1cae6f0b107baa8513199da5af07591fef33eb5cb1a21df22a5510d377f915506f00a93cb6