Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

208cc46a09...cs.exe

windows7-x64

10

208cc46a09...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 21:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    208cc46a095afe8c984556cec3097ec0_NeikiAnalytics.exe

  • Size

    211KB

  • MD5

    208cc46a095afe8c984556cec3097ec0

  • SHA1

    91d38e6348fabd7c1c901f9c871f1a94a4cdb1c4

  • SHA256

    dc744862f33f7a231e99f67613748cf475337ab8cbc8a7b6cc02ce14c27e01a1

  • SHA512

    c00287d33a39fc7ead37c3672fbd05943db37ac189b9eeaf39c35a1e701d9f9058559796ba098077a48b62eff396adbe869bb53ce471c233ced4d145ae8d246e

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOi:Jh8cBzHLRMpZ4d1Zi

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\208cc46a095afe8c984556cec3097ec0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\208cc46a095afe8c984556cec3097ec0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1056
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2588
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5080
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1988
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe
    Filesize

    211KB

    MD5

    4afd41e13b35971aeb8e1df956e3e5f6

    SHA1

    55b4356631eb3726ff5152bfb94ef04792136c0c

    SHA256

    bcb2d04b5b238a96812eba9d8fedc6ddb02bfe9af0a1c88fa2421fac6ce4fa92

    SHA512

    2972b6460290b42474b23aaacaf03c0404f126c14df74edc6ae18da092efa6d61546c3996b513d1eeba79fe2ed173c9c4c5d7c3253050b4a1ddd391f7a49c361

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    5ac8d236855689e5cbfac27d112b2aa0

    SHA1

    67db58943eff773598593bbb788f10b0d706a727

    SHA256

    f79aa1fd108b07d198eb4d72da4a392d5b575a86c29e2ecb5e23144fdad0176b

    SHA512

    37f1599d94c25b72f5eb0b53fe3bc4fc64fa28c309a6503970fef4fbc4238e6aec5bb0611d112c5ca4430f092a5c521268101432afac0d08c0a25a1c18cf73f9

    Download Submit

  • C:\Windows\swchost.exe
    Filesize

    211KB

    MD5

    f95011a52f5a5c2ac1a855cbf6a79f43

    SHA1

    cc42eef5ea7bbcca63556130f7f99c1a5b4c8e40

    SHA256

    6c3a2dbbe8673bf7e48a1433c77ec6052474125e5c7694bcaa0bb6fd6c770013

    SHA512

    3de2f3895c409da6288aebaa0385e77c97bfcf8e4fd0b1b53c0f9c64b100b5f63c64689ed58015a103b79537757d8272bdbdb4db539dce4fa075d9e1461463c6

    Download Submit

  • C:\Windows\userinit.exe
    Filesize

    211KB

    MD5

    54889cea02cbf6e572f2c848bbdcf442

    SHA1

    f2a8e5bda3c2c7d3bcd93ceb50b8e00bca440c29

    SHA256

    9194fbfb47ee3176559e97f691dc7da35f440e9996bac44649dc0554291200f6

    SHA512

    6937600ce93bb1e9e71bfa4b714308c0b944c99d3f22ab2459baff1cae6f0b107baa8513199da5af07591fef33eb5cb1a21df22a5510d377f915506f00a93cb6

    Download Submit