Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
13/05/2024, 11:12
General
-
Target
b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe
-
Size
64KB
-
MD5
b47adbbba7eda6e9b8eb04c12f6d86c0
-
SHA1
34792f7e9b9db434a75c60d1e1d8e46bac0bb5fd
-
SHA256
83c8ed621fdb4634a042aab4002b18c6bf7ddbe57fb07edf923a2e3a5b7c2f1a
-
SHA512
fc3c0bcdfbca2837fec634264aa56789915adfa570a86e7db711c1db59ad3095a3b939fd2041190fbd0454170cccef43a33332cdbfcde79b1b85e7f656e2bcfb
-
SSDEEP
768:Ovw9816vIKQLroC34/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdS:6EGq0oC3lwWMZQcpmgDagIyS1loL7WrS
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b47adbbba7eda6e9b8eb04c12f6d86c0_NeikiAnalytics.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DA2D15BE-79CB-4cd1-A1A1-5F58307A4F25}.exeC:\Windows\{DA2D15BE-79CB-4cd1-A1A1-5F58307A4F25}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3FB9CE19-4783-49ed-986B-A7A4B7265512}.exeC:\Windows\{3FB9CE19-4783-49ed-986B-A7A4B7265512}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1BA4CE38-09A6-4cfe-AF2D-9C09589BC1A4}.exeC:\Windows\{1BA4CE38-09A6-4cfe-AF2D-9C09589BC1A4}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3A461564-DBE4-4650-9AD8-40D89D88B27D}.exeC:\Windows\{3A461564-DBE4-4650-9AD8-40D89D88B27D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{89EB8516-AE4F-4b26-B1EE-E1E012BA1A81}.exeC:\Windows\{89EB8516-AE4F-4b26-B1EE-E1E012BA1A81}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{99242B23-75D1-4f3e-8991-B0FB0EC8AE86}.exeC:\Windows\{99242B23-75D1-4f3e-8991-B0FB0EC8AE86}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{846F1EC6-C820-4ed0-ABBF-44008125E859}.exeC:\Windows\{846F1EC6-C820-4ed0-ABBF-44008125E859}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EBA43F24-9B2B-4f96-9622-172F799EDB0C}.exeC:\Windows\{EBA43F24-9B2B-4f96-9622-172F799EDB0C}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{DA00D9D9-71FE-48b7-863E-18CCE9447ACB}.exeC:\Windows\{DA00D9D9-71FE-48b7-863E-18CCE9447ACB}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{18242B0C-6C1B-47f7-A527-F6E288E36FF5}.exeC:\Windows\{18242B0C-6C1B-47f7-A527-F6E288E36FF5}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C038EDE5-5B27-4066-905E-BA37B8782B2E}.exeC:\Windows\{C038EDE5-5B27-4066-905E-BA37B8782B2E}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{2FBA0979-E96B-4c64-AB0B-1A5BBB014B5C}.exeC:\Windows\{2FBA0979-E96B-4c64-AB0B-1A5BBB014B5C}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C038E~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{18242~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA00D~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EBA43~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{846F1~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{99242~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{89EB8~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3A461~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1BA4C~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3FB9C~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DA2D1~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B47ADB~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD55e28750780fff39d7c7858b5c8c2df16
SHA120f82d781e75164b8fa1742ed581d6522f8ef477
SHA25640fce5f8b385141b1c7495dddbf3778d9e11a6f3bd4be74123b00cc0bec9993f
SHA5123c4922b8e364b38dee62bd945eeb546ff9fd0e7e045e9e111ad8a8da7c152d1d82d65b2888266ba49723959fee25f78185aafebc022af68d2f32f9db44337b5a
-
Filesize
64KB
MD550720ecf599ffdc3cc0b99df756014f8
SHA12746d64b1dae0dbda605cd0e69d5e487c72db7f3
SHA256c86fa73ec66736fe4133d6a3a736d5fd15123ecb5af48d41863ef2ebd8561d97
SHA51294270da852fd9fe54a41e62d57e19366dd95b13d536472c27122c95e6a72957ffdd64b6ac207fa6fad10d86ccb855355032a9fba61794494956c488effd4f962
-
Filesize
64KB
MD56e8d565bfb4c91a8ccdf71f7ed5ba479
SHA1c9886837c28ecb7915660492b30be6e69ca3b4bf
SHA256ef113e6f68c5aefd2e24180ddc028bea812bf0c4653a840ca42ce66e4486bd00
SHA51255c9679aa882e2020baf4cc679a74f95623da17c310bf422589cc5ebdf7b142ecb6217a55ed206f50101df1a1b16ec0d43b4ff340be81d23b00431decdfba51c
-
Filesize
64KB
MD54ccfc8073290b11e9a7b6a764b660434
SHA16f068b17d51359287a90e795bb6c73395b97ee69
SHA256bf81634f4c7c8ae701a20112e5c330263b6bf8b7e6a354c353c2e83888a01a9a
SHA5127a93b7177686e9380c99e848544ec233e1a43435b0a0862a35d80bf778df91b22fb4c69724613975b77ac3381d7708969edcdf1807527fd0b2ad4fdd7c524ffd
-
Filesize
64KB
MD50d922efe58e08b269d1fa20fe1f87880
SHA198f6abd3e96182a1e2240c509fe94e739a331f1d
SHA2560232617cfed250c196cd79c3462f0bc609887cc98d6104383db654690ff2f890
SHA512cc50f2d083ffeaba6a617ec8afeb3a2d7191a9dad32e7c73ecc91b475925ac2d18f13912599df5d38097de163dddd15912ee880eccc40c84f05e0c79e4bd0c27
-
Filesize
64KB
MD5c4d0d06a6f9cc219086d9cc1b016b33f
SHA1c96667c4d2f4c5143446f096e072302c56d3c695
SHA25602d939b085f4a1952d44fac10f4eb7453159e65ff1929408af35b20ab50ca1a1
SHA512f20d63e1591ee915009c95be9b5913bb899d6831790b67f700f3b5df7be0626dd82a578c97e5195c6e54fe0e568f8218346d27cffc16286ffbb546a14a96c778
-
Filesize
64KB
MD52422b5d1fbcb77afd8d4b2b71051b4dc
SHA16b59bb9330f5f2c826369d7b79dd73072d14b2de
SHA25659713b2af46a676e3d66957b52868d2ebf33b474335a030468323b76dce67808
SHA512085338675a43f0fb4ae2eee81b63e4719249cac67faa8fe76ae59df2a0672c334d501970fff42a918525f677851093ffc7556eba82392c886c570762e33f9023
-
Filesize
64KB
MD512121a7cca58e039109af719b1b6d079
SHA1c33b78240d4788e098ae201ee46cdb5c1bafafef
SHA256a9af050229b6db917c2a3a0d95d79d5d6fab955d5244d27033c58623b547ccf8
SHA512e38400180bdd858505af84aeca932838966a6e665b9cc7c021469626dd1e1fbff36d47d5f5e8f7974f0308a2faccae8ef5aa6415d5f5e6487e905dc2dafbeb1b
-
Filesize
64KB
MD57f40e6057a60f6446dd3e153dc1267fa
SHA158e53c222f0d6bb4bedb958b802321ee8ab4e1e3
SHA2560f76128be7142192dcb0773ba1b0b2dbb06f06029beb0c6f90fdbbff95ba457b
SHA51248e56ba167b07be0b16fa2247d5b4d938005d0f8effe314f767289dd7ea7e72fc72f88ca1759ce69a15c3f8bc66ed663547bbb730cf431912b098e3a0c1a3158
-
Filesize
64KB
MD538acb231708ac738fb4aceedd9618d35
SHA1068ec1120a7221cd2a7d6dc2f32a7d403438579b
SHA256c7b89d7444d372b619ddf3f5d4ce0d7d8b69122b1504368421712bc5f8f7f6ed
SHA512c1f58bd16cd0232cea1dc28a6445537020e4a987c8659def0c98b46654e9621634b2ee01c47002ea5b3d82ca32ca20a718db6a8daff861092799a25468c26005
-
Filesize
64KB
MD597b6fc0a8bf8f7d93945073d43316f18
SHA175ea1d2afcca2d1f23c232519082687766e51611
SHA2566346b808300aef1e295c95722c765befc69838ae7f022470e7379ecf911afbf7
SHA5125738b3b20e89a689d75bc751128c55c9df084b5544d8fd05f4219549d49f318a4a8770e6cb3569a56e610aa5139734bb7723b2141af41100f28ab42fde23d22e
-
Filesize
64KB
MD59cc5e6da38c860e0762620d11defdef4
SHA1bff9507bf7fa6ad77f27727012200b459d6519c8
SHA256e3c5741d6ab768ca575e6ab0713271ed1406cde738f9992297248a0adf77e443
SHA5120f7ee4c103c0b7b85e4852dbf933f1897f11c429a77adfc74e1dd8270aafa9c27f1722bbdb749be32301270c8945a6466f01b8d858701204f40bad13d3014aab
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB