Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8321859935...cs.exe

windows7-x64

10

8321859935...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 04:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83218599358597d4b0637a32726630c0_NeikiAnalytics.exe

  • Size

    73KB

  • MD5

    83218599358597d4b0637a32726630c0

  • SHA1

    0924f94e6b2fe183b58044077047ff12157cfa42

  • SHA256

    8d898cb882820bf073e475e86d693fbc2ba33645a1b02fa12d606005e7e09d24

  • SHA512

    d74b8aa3b4a534f644c3ea114a3b18860fbc8819202ec16b3cdea085b6a659648808442bc2f12a70f496820c28d9019c68fb1578a6c956f8c3a3759ed41416dd

  • SSDEEP

    768:x/nlrF9TAbYmFr1BndWdhKjJFJLLeTYSOmPPxfXjGca8Iaxqm4Ts9s5qCfRpXMRJ:x5FNAlTnd+5rO0PxfXZVBZq5qYXMEs

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3388
        • C:\Users\Admin\AppData\Local\Temp\83218599358597d4b0637a32726630c0_NeikiAnalytics.exe
          "C:\Users\Admin\AppData\Local\Temp\83218599358597d4b0637a32726630c0_NeikiAnalytics.exe"
          2⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Windows\SysWOW64\avbafit.exe
            "C:\Windows\SysWOW64\avbafit.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4704
            • C:\Windows\SysWOW64\avbafit.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2772

      Network

      • flag-us
        DNS
        ygdsqcgomkk.cg
        avbafit.exe
        Remote address:
        8.8.8.8:53
        Request
        ygdsqcgomkk.cg
        IN A
        Response
      • flag-us
        DNS
        ygdsqcgomkk.cg
        avbafit.exe
        Remote address:
        8.8.8.8:53
        Request
        ygdsqcgomkk.cg
        IN A
        Response
      • flag-us
        DNS
        26.165.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.165.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        56.126.166.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        56.126.166.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        35.15.31.184.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        35.15.31.184.in-addr.arpa
        IN PTR
        Response
        35.15.31.184.in-addr.arpa
        IN PTR
        a184-31-15-35deploystaticakamaitechnologiescom
      • flag-us
        DNS
        11.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        11.227.111.52.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        ygdsqcgomkk.cg
        dns
        avbafit.exe
        60 B
         129 B
         1
        1

        DNS Request

        ygdsqcgomkk.cg

      • 8.8.8.8:53
        ygdsqcgomkk.cg
        dns
        avbafit.exe
        60 B
         129 B
         1
        1

        DNS Request

        ygdsqcgomkk.cg

      • 8.8.8.8:53
        26.165.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        26.165.165.52.in-addr.arpa

      • 8.8.8.8:53
        56.126.166.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        56.126.166.20.in-addr.arpa

      • 8.8.8.8:53
        35.15.31.184.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        35.15.31.184.in-addr.arpa

      • 8.8.8.8:53
        11.227.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        11.227.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\avbafit.exe
        Filesize

        70KB

        MD5

        bacde6595add770736ca8f6689627fae

        SHA1

        9a7c13eb936c5216624c3e4be94659742ca360eb

        SHA256

        861b3f36c682124f523fcbce2fd509b458885946034db64788f2f5599dea837e

        SHA512

        b0725c3590bc4e99f595e4160e026a33c9e9e21a76d55e761c38c7560d137024bd3efdef5bf8bad99275a165ef44bdd00e73c8b042bbb67b2d18664efeb3554f

        Download Submit

      • C:\Windows\SysWOW64\dpoabeab.exe
        Filesize

        74KB

        MD5

        2ad8d13bdb0ffc83eaddcd772fcedfac

        SHA1

        5d4fcc11be89cb73d1725269815f83e322e9e5fc

        SHA256

        a562ae6e852cf5c4c3cf76c801c7f146dc8e1cd1f04efbf1e2df1618429ef92d

        SHA512

        1119d14b90b00ecc2aef18c2227b59ee0e1186da36a3b25ee95a762ea77aafd028c369fe09c4398a4f730e02beb777aac449d004124abb7aa1896dab4157b5b0

        Download Submit

      • C:\Windows\SysWOW64\odtaroas-eavur.dll
        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

        Download Submit

      • C:\Windows\SysWOW64\ubpupooc.exe
        Filesize

        73KB

        MD5

        87adad0812b0b49401b98375a5e7ed73

        SHA1

        084039101368016040633fb66437daae04989301

        SHA256

        bcddd8311bbb95c47d6d2a0bee28eb19710d063bc2cc99394d39b446f98cd73f

        SHA512

        9b2075a8cf7b1aef28de868a9d5beeb88d26253674f7aed1c0ce26d34ea52cbecdfbb9e68fdaeb413d9590b0242c3fcf51a45afc5c422aad3295ae3aa8869bfd

        Download Submit

      • memory/2772-48-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4672-3-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4704-47-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.