Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

9b18ee1f93...cs.exe

windows7-x64

8

9b18ee1f93...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/05/2024, 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b18ee1f93b12de35440b806738193a0_NeikiAnalytics.exe

  • Size

    124KB

  • MD5

    9b18ee1f93b12de35440b806738193a0

  • SHA1

    470b58fb145e263f3f24486c1bb6e5b0b07c8e8b

  • SHA256

    185ec1f78c7e749381597701565ece7cd923bdc00cc26251af51832e5c97e53a

  • SHA512

    22d986ddc1d1a2b4bc9dd6914e2bfec7a26cba78f723ec74fec92d2a5f3999f9f21c443932956d505363a427b01d17c58069397dddc4adf011451820632cff36

  • SSDEEP

    3072:31i/NU8bOMYcYYcmy5cU+gTn6HOjDhWrzvvQwlgOts5YmMOMYcYY51i/NU8:Fi/NjO5YBgegD0PHzSW3Oai/N

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b18ee1f93b12de35440b806738193a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9b18ee1f93b12de35440b806738193a0_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.212ok.com/Gbook.asp?qita
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3268
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3268 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3252
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      PID:1372
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:3008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:2528
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:1056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:4500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    ce22da433e34e64a164222adedda2dde

    SHA1

    795bb029c6f283235b514cb458e2cb2cfdf4aff5

    SHA256

    8019321a2ebf954425959493d26ce513e591c83ac0b989305e2791a23fac60f6

    SHA512

    fa60949fec765d3fa4e4f6498073ec53e341d8ebd4edce9fa3f4af975cac709fdf39df78007db06ff5ff5762b166f07b515d3528e217dbfd9b37b67fc34a1458

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    bfd1fc0b1b2a7b04f9478527049e842b

    SHA1

    38fd870a412426285f094bc24e6bf95bb2833892

    SHA256

    af66570ad0d564328f19c1e8a2ae9f4253701546f9dd706d8ec5431a5100521d

    SHA512

    16c30d75e601eb60960b8b96fa102d2eefc7818b883c1f0c4ce0030d112625a283c8b480632a258f8c6b8bd04560c401b4dc7b183791ec912901e2fed6b33e4c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\WINDOWS\windows.exe
    Filesize

    124KB

    MD5

    44ff36480ce6c78cc0274441a59e5513

    SHA1

    2fbea23519781a3cdc340d52f546eed4598438a0

    SHA256

    a76ff91355d9236470492b188e6d0fff7837ed1be4fd165f478394f747542ae2

    SHA512

    f714813fbfd553d0e2348424a2c90fd7189654e7f702292be0a5b7781bc8b8dcad2b23d2d0e05e913539e5cf7296460ad09f958a6140b9db24ae07332a155169

    Download Submit

  • C:\system.exe
    Filesize

    124KB

    MD5

    d6c26bfbd45bf2a9764deab6753a47fa

    SHA1

    c3c76fb1ade3f0ea75e1c643eada6b09cd9a3213

    SHA256

    6617d5318e104cf1bc9659fc439acebd292da88f9289df2c3eddbb1b168eb65b

    SHA512

    fe22b871954ac9c468bf58271acb2c0bc7268a81c2a0e31edc3180ab65246004bff4529a7b115d88de4f8b0e0477ee19d2460ac688e1825b8ba3a39afe518bb7

    Download Submit

  • memory/1428-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download