Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
751dd87e2d9386c084b1c5a37606f8e0
-
SHA1
822c1b5e3bf75c4aaf3dc005ba1a39fb5432ed09
-
SHA256
62d7ffee1160f332be5a1031c236f0088f02a2915eb4c22dd3475a81f93ed219
-
SHA512
970c02f1ada79b3ea3e4ae4adbc5fca6a23f43e10b5faa4b2625c45927d9850a0228916dc549fef31498b2e1cb5462d0aefa97b5a870322fc01c22040829503f
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi1:IeklMMYJhqezw/pXzH9i1
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral2/memory/3040-36-0x0000000075350000-0x00000000754AD000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2592 explorer.exe 4716 spoolsv.exe 3040 svchost.exe 3656 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4364 751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe 4364 751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 3040 svchost.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 3040 svchost.exe 3040 svchost.exe 2592 explorer.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 3040 svchost.exe 2592 explorer.exe 2592 explorer.exe 3040 svchost.exe 3040 svchost.exe 3040 svchost.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe 2592 explorer.exe 3040 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2592 explorer.exe 3040 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4364 751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe 4364 751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe 2592 explorer.exe 2592 explorer.exe 4716 spoolsv.exe 4716 spoolsv.exe 3040 svchost.exe 3040 svchost.exe 3656 spoolsv.exe 3656 spoolsv.exe 2592 explorer.exe 2592 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4364 wrote to memory of 2592 4364 751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe 82 PID 4364 wrote to memory of 2592 4364 751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe 82 PID 4364 wrote to memory of 2592 4364 751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe 82 PID 2592 wrote to memory of 4716 2592 explorer.exe 83 PID 2592 wrote to memory of 4716 2592 explorer.exe 83 PID 2592 wrote to memory of 4716 2592 explorer.exe 83 PID 4716 wrote to memory of 3040 4716 spoolsv.exe 84 PID 4716 wrote to memory of 3040 4716 spoolsv.exe 84 PID 4716 wrote to memory of 3040 4716 spoolsv.exe 84 PID 3040 wrote to memory of 3656 3040 svchost.exe 86 PID 3040 wrote to memory of 3656 3040 svchost.exe 86 PID 3040 wrote to memory of 3656 3040 svchost.exe 86 PID 3040 wrote to memory of 1120 3040 svchost.exe 88 PID 3040 wrote to memory of 1120 3040 svchost.exe 88 PID 3040 wrote to memory of 1120 3040 svchost.exe 88 PID 3040 wrote to memory of 2112 3040 svchost.exe 96 PID 3040 wrote to memory of 2112 3040 svchost.exe 96 PID 3040 wrote to memory of 2112 3040 svchost.exe 96 PID 3040 wrote to memory of 2188 3040 svchost.exe 99 PID 3040 wrote to memory of 2188 3040 svchost.exe 99 PID 3040 wrote to memory of 2188 3040 svchost.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3656
-
-
C:\Windows\SysWOW64\at.exeat 03:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1120
-
-
C:\Windows\SysWOW64\at.exeat 03:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2112
-
-
C:\Windows\SysWOW64\at.exeat 03:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2188
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5030b812f0e3948914a94e7ba6801a2fd
SHA1a79112c1067c25fdda8805c06a168bda68f9125e
SHA25643010916858812382f10eb25586b3ebe116523240624a9095127417e906d5640
SHA512a198476c802f4ef8e0c87ba06e20dfa36a1d2bd3632b6c867b50d915e1e35b81abb95d8bbbf2be38fdfc966b97639b196c30370368cff34ab9e04b0ea30d6b87
-
Filesize
66KB
MD5ed2eeee8a5f8042b0bde62fd90df90a4
SHA131829445d9a5ced0ef633b859574d2a39b2b685d
SHA2567b7547eaab04807ef6aceb3b1477d85ecade7a6305a57e92bb47f15b672d39fd
SHA512ce980376c68e5f47da4d0025f7bb4879ca6f2dfc2b4abe1bf958f0d5a1eaaa03171224f504d0caa2bf039375b32f0eb85c13fd42a05f20db7c3089011a096604
-
Filesize
66KB
MD59569df43bb5fd82f05ed43ce7a177faa
SHA18a64f324dd1a3e29e54ad1ff56aaaa50d4611ea4
SHA256a6317a51ddb1fe8e47d9d8350095a62481f750f9fffa2132a3dc67f4f233b583
SHA51203e4fab917b272a8ee725606ab337a6641afb1ecf8cd3aebd05fdaddc1f5ad132b3a35bc24d785b26b6d13cc7a3aeb785f9c59120d73862bb2b480e4d62959d8
-
Filesize
66KB
MD5b885f27779d5b891f7f7f0eac5abb87e
SHA118e0e54faf3eb7d2705b1025576ab6a1df5a3e2c
SHA256575fd4444d974e3c67c9d99da1338b9599b94af411bb5f3463526bee26c26e7a
SHA51220a6ee31c27aa1b7f8e789f3ca2e83a514aaa909eba3240c91812b8225fa2c555b17c470ca94ce859d7550b4886915b1b5318c68afbbe7f6386bccad1cebee3a