Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b972c00bf2...cs.exe

windows7-x64

10

b972c00bf2...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe

  • Size

    77KB

  • MD5

    b972c00bf289a05a128a74d75f723c20

  • SHA1

    38d43b1bf3f39b04a50a89776bb1b14961a6a4e4

  • SHA256

    6d9f005b96f1ce8f3c0b009b36137155fb9e0eef124ee9be9c8575692837b91e

  • SHA512

    91ec22d0c55f01dd78f5968d90ce25c96102fbf4843e60da3e39ad8ff2ba4ce59706d95e4ebf247d90a3b4ee17f589f43c1b4ac35b1bb7e17c779f68ac8e4078

  • SSDEEP

    1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoK5:FD40Dmx7y9DZ/Z2hGVkK5

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1020
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:728
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:636
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4588
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3568
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3360
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4048
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\SysWOW64\Explorer.exe
          Explorer.exe "C:\recycled\SVCHOST.exe"
          4⤵
            PID:4364
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3684
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1600
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.doc" /o ""
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:624
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
        PID:5000
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4220,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
        1⤵
          PID:2248

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Recycled\SVCHOST.EXE
          Filesize

          77KB

          MD5

          78e10075d86b10040ab401262d49bb2d

          SHA1

          99f566f5890c3949e0f8694fc43b25f2ee74422e

          SHA256

          d8dba16ece18ddfa6b097fa270a34713857e0ab65b6eab89f807b14dc041f7c2

          SHA512

          855cb515ffd5fbd98a2fafcbdcd535749ab83e3dba8f7550260b517b2b33169dd7c9b363dcedaaaf190bbcccbd098c0f2230c82a535d48966ec70328cd90f6ff

          Download Submit

        • C:\Recycled\desktop.ini
          Filesize

          65B

          MD5

          ad0b0b4416f06af436328a3c12dc491b

          SHA1

          743c7ad130780de78ccbf75aa6f84298720ad3fa

          SHA256

          23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

          SHA512

          884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
          Filesize

          1KB

          MD5

          0269b6347e473980c5378044ac67aa1f

          SHA1

          c3334de50e320ad8bce8398acff95c363d039245

          SHA256

          68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

          SHA512

          e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl
          Filesize

          263KB

          MD5

          ff0e07eff1333cdf9fc2523d323dd654

          SHA1

          77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

          SHA256

          3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

          SHA512

          b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

          Download Submit

        • C:\begolu.txt
          Filesize

          2B

          MD5

          2b9d4fa85c8e82132bde46b143040142

          SHA1

          a02431cf7c501a5b368c91e41283419d8fa9fb03

          SHA256

          4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

          SHA512

          c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

          Download Submit

        • C:\recycled\SPOOLSV.EXE
          Filesize

          77KB

          MD5

          02c08d54afeaeb66cfb96d3366f4ba13

          SHA1

          bbfdce3ce7b2c02fec12e3d0fc634337dc7fd7c5

          SHA256

          a3bbfac55610b22696727c5a627d8baad90de394481b35c99d06846ee5576124

          SHA512

          b3790d598fc78c6a1943a6faee0c72f0172bc4c1259d0e09171ed6012158ab64368a9482fad69d2afec7728fcee6f17733b6ae23271a1f7ccbeba7fb45e01000

          Download Submit

        • F:\Recycled\SVCHOST.EXE
          Filesize

          77KB

          MD5

          0bb1bad676c18e19c8eae26d2d7b9ed4

          SHA1

          8b06f54cee253680409822aeb4da2a0b1152830e

          SHA256

          d8178a7cef1e3606a487f61be746274367e7d5ea7e18170d92df3dfac98a2d78

          SHA512

          96cb958b3c3e8d8e9bb71bc9f5ee6cf62c15195e8a2c57558371e5686e9878a275f48e3a5790db32d54823b7f13a4395588f8fdeaeb3d56eaa3fda52679d88b5

          Download Submit

        • memory/400-79-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/400-0-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/624-85-0x00007FFB1CE90000-0x00007FFB1CEA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/624-84-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/624-83-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/624-81-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/624-82-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/624-80-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/624-86-0x00007FFB1CE90000-0x00007FFB1CEA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-47-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/728-36-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/728-40-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1020-29-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1200-31-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1600-77-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1600-75-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1764-17-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2568-45-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3360-64-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3360-61-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3568-60-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3684-76-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4048-69-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4588-56-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download