Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
15/05/2024, 08:28
General
-
Target
aed07f00b67382027af544a03ae22ea0_NeikiAnalytics.exe
-
Size
457KB
-
MD5
aed07f00b67382027af544a03ae22ea0
-
SHA1
b984c64693f050d8d44b084b9da26442b7569630
-
SHA256
e926c75748a58a92966a499b1503c7d06205bc823dd21e0b7d6257d8d1eaf423
-
SHA512
2e9839ccce890a99339b5587e8df4da06d20ba85de261730beba8ca4c301b716d97ab7c8cb01c504dc06d6ba574ad7bb20771a79600c20b9e7f3b36af5f908aa
-
SSDEEP
6144:mY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju4zh:dnWwvHpVmXpjJIUd2cUusvalxzh
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 12 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 42 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aed07f00b67382027af544a03ae22ea0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aed07f00b67382027af544a03ae22ea0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\OUD4E7P.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"C:\Windows\OUD4E7P.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\OUD4E7P.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"C:\Windows\OUD4E7P.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\OUD4E7P.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\Windows\OUD4E7P.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\OUD4E7P.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"C:\Windows\OUD4E7P.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457KB
MD5dfca66e38ef53fd2e50178bb660fbaac
SHA1cf50c40df7191bb50b9aabaed3a29f6fbf92db9c
SHA256161059bc88bd85d66568130324433555eba0ae57f2dab437754681c2f7178923
SHA512106e681e920a192423322a8d0d8da5216abf32d07c3c7e8ba833dfd9b55703f2f37b0f216b0e742d96f0e8b5e72896aa7d6bba7bd49aec4f7beac4011201de79
-
Filesize
457KB
MD5fc5eb4582c491db5d367933b65338783
SHA14ab4747192fa1aea5cea9f1eb9cbb4924dad6a91
SHA256d54dabe0087c54ed0758b90854e7fd550ee43346eadeabe7398b0b19711a1588
SHA5123eb4f9ae9aa770f8e6d3d62f7f790516be0c58a66c3277470cbc4fb9f6cff45c61484d475ca3d707a9a06f7bc35a4b744406691e0fd560eb03fedf9d84abea9f
-
Filesize
457KB
MD568787e3e1ec4355ec3a63a7b46bd45e6
SHA10a7f9b65efe61e198ac8d5b31ded06cb4f39bb22
SHA2563ea51f6ad48a123385c2ed8876204b51a3f438c96db242d5dfc4fe58e2871d0d
SHA512652a9adefa67a052473b9f1124ec01c5766691aecee952a6d683676cdc6060ff77572d45c0e7ee216af024c545a76a953cf3175371e69ce2cc55008b7a5daca0
-
Filesize
457KB
MD5e500b6db79d23812fa3d1f9973f22c6a
SHA1b3bfbd57c37e7de7abb575f6391a51a14b45f3fb
SHA25653eab63aec46db8cb6d16e737decbc01f1aaf02c0bde7f09588b03a8c5156829
SHA5122069631363d273e589bb9d188e96aad722f64871ae4539312fb9a20e748ebbf562bb1e5dbca512236a9c1cc329d4cbfe8c7ce1da306f39bbfd7f8cec424b0c1f
-
Filesize
457KB
MD517ae9e7388383b7beb8c65327da447b1
SHA1ad82972c50cb3cd1f0ffee092e6acf82463e580c
SHA2561831a18915b07eb22416a24f23683d9c88e7b81c9c599997a582c7e1e62be8fa
SHA512c34691f5b452a7dfcbcc577ef0b6c1904339cd2674713eba463cf436008455ebc1f24f0e1b91b017967b451889d6aafeaa9f42a70e072f717787c0fa30dd2b72
-
Filesize
457KB
MD5817281845db6dacb3ceeafd0837d5c33
SHA1cd3967e24fc703e64bc46e8e0586a94560a876b0
SHA256a820ddcdce70e470b5459b385bb51a0836ee71a9c487c22dace49233cbbacf5b
SHA5124555080f5b264aada6e5df72c37ab77f6beed0583d5cd3d11c41240a98b96eb7a9ae68965d14aca8e512ec657403aa3761010646234ff2c15deb83bbaf59705b
-
Filesize
457KB
MD5fa39fd020a05b6fde6f9e64e34cd284e
SHA133a473bd1d11c5e5f8fcc7a3d0051cbb6658e49d
SHA2561533e91314d6f9a6e48fd2e60e3f38809ead1184b593438983d1751bc270df86
SHA5125d7c5fc314196cabe2683c55cf733eaf8575b799979916e25399dd9dc140880e61915955857e89ac03324a2742a3a0e752a44e7cea0ccaa50b0772714c27b6e8
-
Filesize
457KB
MD591f1911a42f3d8b5546c2fedbdb054ed
SHA1b8cb45eb7024982954ca7a00848382fbad4912ea
SHA2560bf80406405f6088753aa43db565f767b4a31ad7afd313e4ed6e406e72e98ad7
SHA512c754d82a84a415a580a012a1e92d3deb2863096e8cf2dd2c9f05e3bfa9f6709cfd1a114dbd500f3f63f214c4fe16905e3cbb116d1f1ed3c6600e4e60a2cb6ab9
-
Filesize
457KB
MD557c039e53e8830d85c8e94e9d42af897
SHA11ef00c2fa348c194b006f52d3d774cfd46431135
SHA256cd1149479226b16efe111f578f7e7e0491805f79470794c91eac04742b8fde53
SHA512e721ca8ee145ba8880b75e98965caf02e6683614ce1c33cfda7d2386f2fdfa37ae0be090dc215f53a35e39a2562774508c583b59a06e58160b8c70beb60c12ce
-
Filesize
457KB
MD5eb6f9891f8f2bc133c24ed5b1a9ea59a
SHA1172e55dafd340d1f026a99ea030a8cd215105627
SHA2565bbd58484b20ada4e182fa0f650457aadde688fdf318e241fe316e8ce833e685
SHA512b8139e50d5bd1425a8fc699d4d744ea27e5fbb4aa044995a9c26a0bf4768aee03690b4e4098e43a95e84e5b9e11f63465b0dfb1424e3225e9225bdd91a03a254
-
Filesize
457KB
MD5f2fcab8cc8d7caf2ce6e0ac60f09793f
SHA1b2ae0c22f812ed63e9200c24726b7db42e50835f
SHA2562ef91696f3549bfdfccd796b73d274a0214069132e2686abf7c2fb3ab57b5682
SHA51232b678986d93489007c9608923e7ccf22eacd450536c234b8c956d99c72af867e64014626f4c08f1ec9866e1fc2fbb77a1a19cdec9390830224eee4d81c4b5be
-
Filesize
457KB
MD53bd89a0ea1de5bd186e6a915b6ab4fbd
SHA1ca2ef71b90b57b14a56d91bb1ea33e49c48cbd69
SHA256af0054df43fbfc6d7fbbe3c5222138cc98d2fc2ca9eb8949953fcc33d73dbf48
SHA512d352f486ee4d8e13ace47c388f076ea928b99145794ade4986a7e7d7c7ddd5e283ee6ae4bb7e350bc96ddcb7fb8465c528359a663a3bcdbe631e6d35fa5cf9b8
-
Filesize
457KB
MD5aed07f00b67382027af544a03ae22ea0
SHA1b984c64693f050d8d44b084b9da26442b7569630
SHA256e926c75748a58a92966a499b1503c7d06205bc823dd21e0b7d6257d8d1eaf423
SHA5122e9839ccce890a99339b5587e8df4da06d20ba85de261730beba8ca4c301b716d97ab7c8cb01c504dc06d6ba574ad7bb20771a79600c20b9e7f3b36af5f908aa
-
Filesize
457KB
MD50a03faa1708b6dec4296b22ab7746254
SHA155dd7adcdc8a89a32314c1fd44d10d80c32b5126
SHA256409fcc21acb7e7329ebf4946d7ee50fcab668510b547bf9c74d602772741c5b0
SHA5123f76909d029731dc3e8e3cdb7c00c54fff66404e7b84e09772d1985f322e75ec7b4ae60ffb706de694fe796a9f939af1e1bed5492b6b138a0139de8246aa07f2
-
Filesize
457KB
MD58415e3ba4b92d99528bf141ab9e80642
SHA1af6464bdff006368e964c7a8a600b50d945ca548
SHA256ad4f74581ee57c351f07e7654a2a13a7c1f8bf5b6f94121e3f8c208fd621b1f6
SHA512f85597e6967b49cae02445600dbbdbcd6d88217f3db234db89c33221d969ee822fbe531be4f765835103a890ad69d0c7d4ddadee508eaa869aa60e65ab73a336
-
Filesize
457KB
MD59ccb72238f189b63eb5465129a4c77f3
SHA18c5b16e81683bd57c0ec4cf4003691a7cdfee4c0
SHA25605af829ad1c11f464893146b95b3f6088a1a993ccd2253512efe0cc475258466
SHA5120d093ea9104f76538d7ebbdd543d37cee77caa10d0fe8ec1c30dac5999e7a522704ed13771d61269d766ce74d3adbb2df3732a87f578a503055faa57a6ada48c
-
Filesize
127B
MD54bf80d95cf7e96ce5e9ed0280399c824
SHA1a3da7c056c61904e970bf237c68b3735bde110e0
SHA256591839bff6b44c4e44739092a82d9796a533f3beeb70e45fdf28b422e71ad922
SHA512ec870d3997eb6a5e56b47b29f6e074d5bd7317fb75368334e982e038f2500d8a5032b8e23446da40721a3a2ef77f7c149f6abe2c6acdbf274d4b2c3a6c5dad44
-
Filesize
141B
MD54e085437651dca95d69ca14e9430bc2c
SHA1648b98d72a6daf40da1f90e3ac0a0002f35aadad
SHA2562f6b337bab31640820e65b9f1752aef0ccb31b6afef0b848bac16a249d3c7040
SHA5125564d90bc8e8dde30f639335aaa2f66ee68a073d844e985e49069e80c0eae04271737817addea68554549d5299bc662e9b0af9f589fd32d38cea6b42f3a3a86f
-
Filesize
361KB
MD5c5c7392dc94c13ef23f98cb3729bf711
SHA1404d820f4b62462eb932275e3b58a1be42896e7c
SHA256b73e8cf25db9683d28cca18b3db91fefa1f8c1f6c06bcb0ff1855c9ca3e498f3
SHA5127153bfab3578b60732b0f86fef10bbb722e978124b1d71c58373e8dfbf3a989983314ab63b40ef99722c42d12da2a28955c770d0f1223993145fd9246ff0cc43
-
Filesize
361KB
MD5792002d3119e878a40b9dba1ba984f70
SHA1a4c3cca3eb138c4cf1c7374d28f3a7820f2f191a
SHA2560068b403ca2bb754d96d4fddcb9e6539a8d93e800074402203e10f51e57ec78d
SHA51236a4de738011bd0208858d804d574f4819a7c5b429d2715449798ea98ebf789399b2b0d2b2326c9c7b1aa1accd76838d0112c6339571240a38fafc1355f5775b
-
Filesize
361KB
MD526f2877dc2b09e2739d77e92503c4ea4
SHA1d5bf6af509884d16e6a11a5a3a3f57aa2de16d3c
SHA256423cd8275afe8a3fec35335df91322e6640822ff7e25445451cb924c334479e8
SHA512095f89ae79a3c5012c117c9ab07c1932b86ebf171efdb9ad7dd0709d3a8d48b6b9b2e74a1b1a0ccf96ac9ef415965b473dab2864cf3192149986342549511722
-
Filesize
361KB
MD5ec5702730c23e0a018294594ab43b089
SHA101fb205e1c0945f20727daf32e5d96a8143dff22
SHA2566e7a81af9546674515074881e6075070f07f38340d7847b1c45d84a1e7137acd
SHA512617224e82df6c6b88364194b787436d1cf27d918ad951bd58034955d07e1ed7842bc423ac900a96703f7845cf0c8303c3ef9ece2973851999ddd9f90ce4cb340
-
Filesize
457KB
MD5b018f416ce6abf93157ef986a10a3c22
SHA13554a65aeaacc1782a112272c3389efb388d4928
SHA256bc56d2e94d799c05c83719dc3cd09d62c8d1a25296780dc67ebe30e2242234e9
SHA5129e631b592a27437e7d4339081dadb236869bd07edf2d977cea2a7f874915e932207b136287c4bff6df589c466ca4eb26577c7c6e225c49e8864778faa8d904cf
-
Filesize
457KB
MD583f3f4538bd299be8c91bd33ee9ef1a5
SHA1820e6e239909eee06fa0de81988587990ce78c9b
SHA256002bfe8702f790835b9463f2aaee9eb6a146a0d65ca6f5e317b6324679aad67e
SHA512de7c1f03571a679b7f3a54bf4276f174fbd1be502532145d440d47148f66a62e61875d88cbdd15269bae6472e3e4b91589c92257e77cf04847d71690ff926b45
-
Filesize
457KB
MD512c137f0575c7efda596317a86054388
SHA1ecb386cbf54863e9b3e9520a0cc01afdd3880683
SHA256d2fb5bafa040110f861e4ab4b797b09aa674a35ed7bed71e7bb936206aa81ac2
SHA5121736be39987145c3745e6397fe60520fda3e3c3c18b99fbc1f430f135d1a49a7c31b159026c4fe52b73ce78245dbc6680aeb8b35e31ad2799a4d166724eb051d
-
Filesize
65KB
MD5c55534452c57efa04f4109310f71ccca
SHA1b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA2564cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.4MB
MD5c79ec3a7a2675b90e0c9af40f8d1cab8
SHA1ec1d7cd4b3b2ecee295e178d4b0bc6afe16b4deb
SHA256104fcb338da8345db51670d5f8f60c4041ea2ab55ea48c18d408866afddfd5d9
SHA512dded4fa9b47f4e1e31639c3c5f20474cc94b634ed757ccc2da449619a2fa63dc8a5c59160279ec1458ac6160123f061f798f5a97798cbecb5df78873aa8be736
-
Filesize
1.4MB
MD54cf6c0dcb4038810477df88465dd8ca7
SHA103383466c38a184d816b9efbc838a1f958c40600
SHA2563b1c71df9d43db5fabd341be8a6b6db4a5a4f863e170b05ac84542ed3ebf901b
SHA51223dbd10c216bfd3e2e1555fa057bd4be8b12c8c4750a0cab86a5b56bfba48eb932dd8c3b740ca6685b937ca0131425f94c765c064c6e2b73e3536f44c092e8c1
-
Filesize
1.4MB
MD5e4e81c08411af3abe6e04f8a0f9c7722
SHA109bd5cff4741157073c19bb8c9d15c2fd30e6802
SHA2565ae5faa8899954921a823e82f98332be918620a28f52fe27f5af724a6a892630
SHA512bd741dcfefcdf75532dfa96246bfec9eebd4fce2e9da36ca50e319ac7fda4ff5d3493710c1958f5ffa79914e0d6ca212ee3fc5324ce2d2c853e66aa50853932a
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB