Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 05:26
Static task
static1
Behavioral task
behavioral1
Sample
a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe
-
Size
139KB
-
MD5
a458b75d41681c76f985eaf8584ca350
-
SHA1
bc6049d1b44c7461683f198e789a718830e9f86d
-
SHA256
5ecf2a075eb9f5c28425a599313e810bcc85dcff7ac21f1b8a1fdcbf37117c03
-
SHA512
c78256ed35f71440762d344c25a3220d5eb0a29111b8b37c9e72f4db0044ecace75500fe53f852179814e66c5ad4b12b71b9f667da2289d8e70a6b8c95fe9039
-
SSDEEP
1536:ofsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbCwwkG:oVqoCl/YgjxEufVU0TbTyDDalfG
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1612 explorer.exe 2600 spoolsv.exe 4948 svchost.exe 4644 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe 1612 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1612 explorer.exe 4948 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 1612 explorer.exe 1612 explorer.exe 2600 spoolsv.exe 2600 spoolsv.exe 4948 svchost.exe 4948 svchost.exe 4644 spoolsv.exe 4644 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2256 wrote to memory of 1612 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 83 PID 2256 wrote to memory of 1612 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 83 PID 2256 wrote to memory of 1612 2256 a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe 83 PID 1612 wrote to memory of 2600 1612 explorer.exe 84 PID 1612 wrote to memory of 2600 1612 explorer.exe 84 PID 1612 wrote to memory of 2600 1612 explorer.exe 84 PID 2600 wrote to memory of 4948 2600 spoolsv.exe 85 PID 2600 wrote to memory of 4948 2600 spoolsv.exe 85 PID 2600 wrote to memory of 4948 2600 spoolsv.exe 85 PID 4948 wrote to memory of 4644 4948 svchost.exe 86 PID 4948 wrote to memory of 4644 4948 svchost.exe 86 PID 4948 wrote to memory of 4644 4948 svchost.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a458b75d41681c76f985eaf8584ca350_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4644
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5a53d048953ce82d90a02dc308c3d3632
SHA1feee625ab0238cf917e9344502051c0b9d09a28f
SHA256bc5a256d7b9e87948daaa0879f43b1c8349b4e54937ef3a30cf2863087a3708b
SHA512119ad7f757a175ccdb364ecace28f4e455d301c47e9e19fdd5772dcbf620534d95c074ce6492d632fe804f95e891096f8b09a352d9035e583c0741c08a96b304
-
Filesize
139KB
MD5577afeaf19dacaae31c2a777dc0f8320
SHA1bde40570df188d3b4bea25df1aabefddcbcc5c7a
SHA256883a0a39ea25f4fc047737d773bee13a0979927afdb09c47f74f5fe79b4a546a
SHA512579c546ac50917546fc2301a1cd54ea36db21d2b028db4aa5e76966ff161519657530bf27e5699301a927a9a29105a151acd888c9f0e54a012f87d324bcfb7c3
-
Filesize
139KB
MD5a405e5f0aa8cdbb342ee53d39698bb0a
SHA12b99c12ff9bf0ba65e1bd9e199a4c695dd758036
SHA256c676f47524b06ec264c6f728919ec65284f8f446c7ca77609019b1ae9600d858
SHA51284fa4202ed626ee56cd74dc15ee366cf82a65b0991b8fe0c063226495dfb7ac8a8b2c44577dc24dd0b424494c385e597e3b554278af056603e4bd9fe1ddc4e79