Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

55c0af260d...cs.exe

windows7-x64

10

55c0af260d...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 01:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe

  • Size

    71KB

  • MD5

    55c0af260d6707b8522bddb917281430

  • SHA1

    c9bc12e251dcc86a2d741901e6e3ec71ac9f9e0b

  • SHA256

    b987bc2b4b4e0fc800c67068f35f31f9c8cd5e61b813d0cf1a860a5c3379009a

  • SHA512

    38ac8a5125e6551f23ea5fbbfdcb06094010a0702be059fa916c0a12e9700c074bbe92f2a56cff1e136bc1246d3bac30b533e339e762cc0a5756031c5e6382e9

  • SSDEEP

    1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8sle:Olg35GTslA5t3/w8X

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:436
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1240
        • C:\Users\Admin\AppData\Local\Temp\55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Windows\SysWOW64\ixloden-for.exe
            "C:\Windows\system32\ixloden-for.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2064
            • C:\Windows\SysWOW64\ixloden-for.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1116

      Network

      • flag-us
        DNS
        uqhkkfthygl.ws
        ixloden-for.exe
        Remote address:
        8.8.8.8:53
        Request
        uqhkkfthygl.ws
        IN A
        Response
        uqhkkfthygl.ws
        IN A
        64.70.19.203
      • flag-us
        DNS
        utbidet-ugeas.biz
        ixloden-for.exe
        Remote address:
        8.8.8.8:53
        Request
        utbidet-ugeas.biz
        IN A
        Response
        utbidet-ugeas.biz
        IN A
        127.0.0.1
      • flag-us
        DNS
        utbidet-ugeas.biz
        ixloden-for.exe
        Remote address:
        8.8.8.8:53
        Request
        utbidet-ugeas.biz
        IN A
        Response
        utbidet-ugeas.biz
        IN A
        127.0.0.1
      • 64.70.19.203:80
        uqhkkfthygl.ws
        ixloden-for.exe
        190 B
         88 B
         4
        2
      • 127.0.0.1:80
        ixloden-for.exe
      • 127.0.0.1:80
        ixloden-for.exe
      • 8.8.8.8:53
        uqhkkfthygl.ws
        dns
        ixloden-for.exe
        60 B
         76 B
         1
        1

        DNS Request

        uqhkkfthygl.ws

        DNS Response

        64.70.19.203

      • 8.8.8.8:53
        utbidet-ugeas.biz
        dns
        ixloden-for.exe
        63 B
         79 B
         1
        1

        DNS Request

        utbidet-ugeas.biz

        DNS Response

        127.0.0.1

      • 8.8.8.8:53
        utbidet-ugeas.biz
        dns
        ixloden-for.exe
        63 B
         79 B
         1
        1

        DNS Request

        utbidet-ugeas.biz

        DNS Response

        127.0.0.1

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\eacheaxeak.exe
        Filesize

        74KB

        MD5

        20f2a0e89ef470e5ea2e01e52927253a

        SHA1

        6e8539221503971b654a025edc712a859eab5d3a

        SHA256

        e4c07c0c08425c036fbb1550db325c7758c36c7cbf90e68b2bbce8678a7f4e68

        SHA512

        9ccc8d2cb9ed0e13d08f9e6207fc0f2cfce0325949236b461bf0ba79afe77020b41f5011085fcded37807aed1dec27032615030171f4a3a1bd573b4c1b80840a

        Download Submit

      • C:\Windows\SysWOW64\etgosag-eteas.dll
        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

        Download Submit

      • C:\Windows\SysWOW64\ounrigoap.exe
        Filesize

        73KB

        MD5

        e31ad5c7d7a0eed4eb64bd6c172705e8

        SHA1

        90dafdd9cc3ad79c401de5a2a9b61d591c520388

        SHA256

        ee727685ada8cd0b307d4519e62a34566363c6cd5b332ab15ca1d917105f9118

        SHA512

        e1319527dc28524992b986164dbde5a97b70726f754c77fa65c9be2ae534c6edc17e207e3f1d3bc1a6892f513531aee167888e9253916d76cb75185df5c94d8c

        Download Submit

      • \Windows\SysWOW64\ixloden-for.exe
        Filesize

        71KB

        MD5

        55c0af260d6707b8522bddb917281430

        SHA1

        c9bc12e251dcc86a2d741901e6e3ec71ac9f9e0b

        SHA256

        b987bc2b4b4e0fc800c67068f35f31f9c8cd5e61b813d0cf1a860a5c3379009a

        SHA512

        38ac8a5125e6551f23ea5fbbfdcb06094010a0702be059fa916c0a12e9700c074bbe92f2a56cff1e136bc1246d3bac30b533e339e762cc0a5756031c5e6382e9

        Download Submit

      • memory/1116-56-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1804-9-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2064-55-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.