Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

19221f0dd9...cs.exe

windows7-x64

10

19221f0dd9...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19221f0dd9766ba9f9361f52447f6d20_NeikiAnalytics.exe

  • Size

    40KB

  • MD5

    19221f0dd9766ba9f9361f52447f6d20

  • SHA1

    26ba3de7e0a5c6bf4efbd3da45a5209dc253fc59

  • SHA256

    c1477f99bf737702d1de157b752acc7b4989b78c1027dc4f109b77b7b076b312

  • SHA512

    50da9583935a2b5d3461c6cab13eb168f11f665925b569dda221d8e881171b8b4120d8fbccfb9dc6bcb209f70e0fbf70549e4cc179cf4fee3816bf135f2c1e2e

  • SSDEEP

    768:kvfko/XiYUsWEzQp8F9bdHXtHs7CQpcdHoCCvc:kEKZWm+8F95NWee1vc

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19221f0dd9766ba9f9361f52447f6d20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\19221f0dd9766ba9f9361f52447f6d20_NeikiAnalytics.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\Admin.exe
      "C:\Users\Admin\Admin.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\Admin.exe
    Filesize

    40KB

    MD5

    f08a412dde11d9c12db31326b74c435a

    SHA1

    07bc2d1ad68817c8407b0ccadcef65ea4b2577bb

    SHA256

    a0ac940ba18057b9ccbc92dbb4ffb73dc0445f6c2b497965a766a845cac33296

    SHA512

    b177130f206efe559e1f3a096bb0aa694f3489b81b07e4321b343d33f5f11af33027d9709e4a2111700438c139b565be03a0b66cac06162c0a9c322d48a923c7

    Download Submit