Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 14:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe
-
Size
73KB
-
MD5
ed2318bec81a939e30e41f4a59223bf0
-
SHA1
592ba933f88f9b4cb1029a4d41769271e1df2964
-
SHA256
03590c1aa298be61d20c0658e8571691e7180614834a220a1c65310bd263ffd4
-
SHA512
2c775952038ad0415e7236336901ea858cdd22153cf6468efd0bde9a1d52d0dc15501912c3b5a8784bfff3a81403e251bdc9889f5f626d9804bb232b691c38c1
-
SSDEEP
1536:xJHpt8q03mUqaoPB8TvSrtXr1CNs9utog:PH0j3x1oPB8TvS5ANsm
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" epbiveak-sed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" epbiveak-sed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" epbiveak-sed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" epbiveak-sed.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4C5844-4845-5743-4C4C-584448455743} epbiveak-sed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4C5844-4845-5743-4C4C-584448455743}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" epbiveak-sed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4C5844-4845-5743-4C4C-584448455743}\IsInstalled = "1" epbiveak-sed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4C5844-4845-5743-4C4C-584448455743}\StubPath = "C:\\Windows\\system32\\kretub-asat.exe" epbiveak-sed.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\fkoamooh.exe" epbiveak-sed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe epbiveak-sed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" epbiveak-sed.exe -
Executes dropped EXE 2 IoCs
pid Process 2852 epbiveak-sed.exe 3696 epbiveak-sed.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" epbiveak-sed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" epbiveak-sed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" epbiveak-sed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" epbiveak-sed.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} epbiveak-sed.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify epbiveak-sed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" epbiveak-sed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\elfeakoap-tix.dll" epbiveak-sed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" epbiveak-sed.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\elfeakoap-tix.dll epbiveak-sed.exe File created C:\Windows\SysWOW64\elfeakoap-tix.dll epbiveak-sed.exe File opened for modification C:\Windows\SysWOW64\epbiveak-sed.exe epbiveak-sed.exe File opened for modification C:\Windows\SysWOW64\epbiveak-sed.exe ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\fkoamooh.exe epbiveak-sed.exe File created C:\Windows\SysWOW64\kretub-asat.exe epbiveak-sed.exe File created C:\Windows\SysWOW64\epbiveak-sed.exe ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\fkoamooh.exe epbiveak-sed.exe File opened for modification C:\Windows\SysWOW64\kretub-asat.exe epbiveak-sed.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3696 epbiveak-sed.exe 3696 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe 2852 epbiveak-sed.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2852 epbiveak-sed.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4612 wrote to memory of 2852 4612 ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe 83 PID 4612 wrote to memory of 2852 4612 ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe 83 PID 4612 wrote to memory of 2852 4612 ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe 83 PID 2852 wrote to memory of 3696 2852 epbiveak-sed.exe 84 PID 2852 wrote to memory of 3696 2852 epbiveak-sed.exe 84 PID 2852 wrote to memory of 3696 2852 epbiveak-sed.exe 84 PID 2852 wrote to memory of 612 2852 epbiveak-sed.exe 5 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56 PID 2852 wrote to memory of 3424 2852 epbiveak-sed.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ed2318bec81a939e30e41f4a59223bf0_NeikiAnalytics.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\epbiveak-sed.exe"C:\Windows\SysWOW64\epbiveak-sed.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\epbiveak-sed.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3696
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
71KB
MD560359c61e4da069cec093a2dd1196370
SHA1fba7471e02c8247c862b52cff60826526027bac8
SHA25669cfbee35bd146843d49f423b278ccff7e5551d9bee626f64483a340168d0ef8
SHA512e8fc625e6fbf8e4e483d976147c6d8f6d29af027e7a940ca39f92cf10995c64fc7a724fcca46029675e98c0f5db587fb21588c711162d33b2e1a45b3683608ef
-
Filesize
74KB
MD5f01011f3d13d1b933821ce59a4ddd3fe
SHA1cfee1201920457bf87cc4d1253412c5cd90e27e2
SHA2568e4e23b553bfc75e3c5b66896ffca38ffb61f40601afb438807fbba6ccee11ee
SHA512eaab076fdc533e01f6f2196b92c634b7bc76b4f90421315425c96876bfbd2cdb26b1e9a1466bf4169a03f5cc3d55e24f07961c4738a7a0e4c1533de2ddc093d5
-
Filesize
73KB
MD57632ebfd7cd9e1b5b44f29a732283a14
SHA1ba0cd5af9f6b7edfb628a840b156845057b75b09
SHA256a614902946425fe23fb7ba34a147669b66c1e4dfdc6bf5387d8e2937399d2f55
SHA512ca5f49b83756bc66f05300f5edf25a48f0764d626e58cfaa71cf13fe6842ec4110e8d335357178deef8ad94963ae8bc7552ab248fc57871e8b6b13a7f78696ab