Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 01:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe
-
Size
71KB
-
MD5
55c0af260d6707b8522bddb917281430
-
SHA1
c9bc12e251dcc86a2d741901e6e3ec71ac9f9e0b
-
SHA256
b987bc2b4b4e0fc800c67068f35f31f9c8cd5e61b813d0cf1a860a5c3379009a
-
SHA512
38ac8a5125e6551f23ea5fbbfdcb06094010a0702be059fa916c0a12e9700c074bbe92f2a56cff1e136bc1246d3bac30b533e339e762cc0a5756031c5e6382e9
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8sle:Olg35GTslA5t3/w8X
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ixloden-for.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ixloden-for.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ixloden-for.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ixloden-for.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643} ixloden-for.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ixloden-for.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}\IsInstalled = "1" ixloden-for.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}\StubPath = "C:\\Windows\\system32\\ounrigoap.exe" ixloden-for.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ixloden-for.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ixloden-for.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eacheaxeak.exe" ixloden-for.exe -
Executes dropped EXE 2 IoCs
pid Process 2064 ixloden-for.exe 1116 ixloden-for.exe -
Loads dropped DLL 3 IoCs
pid Process 1804 55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe 1804 55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe 2064 ixloden-for.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ixloden-for.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ixloden-for.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ixloden-for.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ixloden-for.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ixloden-for.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ixloden-for.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ixloden-for.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\etgosag-eteas.dll" ixloden-for.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ixloden-for.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\ixloden-for.exe 55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\eacheaxeak.exe ixloden-for.exe File created C:\Windows\SysWOW64\ounrigoap.exe ixloden-for.exe File created C:\Windows\SysWOW64\etgosag-eteas.dll ixloden-for.exe File opened for modification C:\Windows\SysWOW64\ixloden-for.exe 55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe File created C:\Windows\SysWOW64\eacheaxeak.exe ixloden-for.exe File opened for modification C:\Windows\SysWOW64\ounrigoap.exe ixloden-for.exe File opened for modification C:\Windows\SysWOW64\etgosag-eteas.dll ixloden-for.exe File opened for modification C:\Windows\SysWOW64\ixloden-for.exe ixloden-for.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 1116 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe 2064 ixloden-for.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1804 55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe Token: SeDebugPrivilege 2064 ixloden-for.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2064 1804 55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe 28 PID 1804 wrote to memory of 2064 1804 55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe 28 PID 1804 wrote to memory of 2064 1804 55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe 28 PID 1804 wrote to memory of 2064 1804 55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 436 2064 ixloden-for.exe 5 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1116 2064 ixloden-for.exe 29 PID 2064 wrote to memory of 1116 2064 ixloden-for.exe 29 PID 2064 wrote to memory of 1116 2064 ixloden-for.exe 29 PID 2064 wrote to memory of 1116 2064 ixloden-for.exe 29 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21 PID 2064 wrote to memory of 1240 2064 ixloden-for.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\55c0af260d6707b8522bddb917281430_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\ixloden-for.exe"C:\Windows\system32\ixloden-for.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\ixloden-for.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD520f2a0e89ef470e5ea2e01e52927253a
SHA16e8539221503971b654a025edc712a859eab5d3a
SHA256e4c07c0c08425c036fbb1550db325c7758c36c7cbf90e68b2bbce8678a7f4e68
SHA5129ccc8d2cb9ed0e13d08f9e6207fc0f2cfce0325949236b461bf0ba79afe77020b41f5011085fcded37807aed1dec27032615030171f4a3a1bd573b4c1b80840a
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
73KB
MD5e31ad5c7d7a0eed4eb64bd6c172705e8
SHA190dafdd9cc3ad79c401de5a2a9b61d591c520388
SHA256ee727685ada8cd0b307d4519e62a34566363c6cd5b332ab15ca1d917105f9118
SHA512e1319527dc28524992b986164dbde5a97b70726f754c77fa65c9be2ae534c6edc17e207e3f1d3bc1a6892f513531aee167888e9253916d76cb75185df5c94d8c
-
Filesize
71KB
MD555c0af260d6707b8522bddb917281430
SHA1c9bc12e251dcc86a2d741901e6e3ec71ac9f9e0b
SHA256b987bc2b4b4e0fc800c67068f35f31f9c8cd5e61b813d0cf1a860a5c3379009a
SHA51238ac8a5125e6551f23ea5fbbfdcb06094010a0702be059fa916c0a12e9700c074bbe92f2a56cff1e136bc1246d3bac30b533e339e762cc0a5756031c5e6382e9