Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

482ff905f1...cs.exe

windows7-x64

10

482ff905f1...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2024, 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    482ff905f158982b6ac97ec78423bd60

  • SHA1

    8ddf926035db93ae5217d4dd6baf2756fb9b471e

  • SHA256

    d44289e14cc4a6807c36d5f39a3b74a8bdcfa6bd687ec12254f04b276bcfce4b

  • SHA512

    68ce31fa62e31e7a5cf072a38c8cfc213750ad916bc823b6eb883421f5e3db700cfa9db2037c16b7d97ca046c64a1699d40d1c8172d9360f62c386341b715e77

  • SSDEEP

    768:xmFQj8rM9whcqet8Wfxd9Mmnfa+TAOBJgZiPGyilSniJO14ktp7DFK+5nES:zAwEmBZ04faWmtN4nic+6GS

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1828
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5112
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4768
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4236
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2060
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2220
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2928
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    eb45d32241b6e7c8ffd0c4be7d6fba77

    SHA1

    c844d4ab3922cf8277220dc4a83c11d1bd50f572

    SHA256

    969924655524b07aa1a523c0c2b5f12052c5085cb7fc9eaf11c16e7b6a84fe68

    SHA512

    119e09ac42817f788467ab25325faa3831f8d1222df0c9b17245042163b5d6a280f0d6042cb7751bc89ddb60f44eadab266af7b632a40bff651d1aa2fa67e2ae

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    6b0f2faa166bb8e669b1b2be668940e2

    SHA1

    f9be7d8b0f55c8355ef8ef1f008dbd80cef12022

    SHA256

    a1267004b54bcfee329c05ca3fce5f64dddc5c382be95a30869455d597e95e59

    SHA512

    19cad1f4cea91f1800c199f289184cbfc5aa7589f60f8ae729a85ad1c71e982353237fb07b70aa416381c5854eb7c441b5f120f793f0a8f232a90949e2997c26

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    57ee6d5b97b286a3d8d2d5151f3998db

    SHA1

    87ad31e796d1e26b223b94efcd76c847ac724fb7

    SHA256

    aae54baa6b1d7fa0b3c8a59d7033c979e812a36146f8f9f7b18e435386b691f9

    SHA512

    6c36e7f5cf4238a7b43e893608062f207f508f80d1e2f05cd13a4449d738e62f73bcb279306266cbff21198c6f1181e4882d369d7cb64524f2e27522d712eb3c

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    dd34bee82ab8a01a2d3a432e11e9625d

    SHA1

    42a9da0b2099130fc7e812a2cf5b99b3eee6f7a4

    SHA256

    7bb24e856e1dda5486946073e6ff9690e2c486fdb3b23adab60e1ffda8eddd37

    SHA512

    2f92ab9b91bc99004edc064cc742a4c165af62ddc7bbf3ea956539d8d263e28f71f897a928597ce5e8998fc4a143a5086cf2129761d6e611ebfab05481b681b0

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    45KB

    MD5

    482ff905f158982b6ac97ec78423bd60

    SHA1

    8ddf926035db93ae5217d4dd6baf2756fb9b471e

    SHA256

    d44289e14cc4a6807c36d5f39a3b74a8bdcfa6bd687ec12254f04b276bcfce4b

    SHA512

    68ce31fa62e31e7a5cf072a38c8cfc213750ad916bc823b6eb883421f5e3db700cfa9db2037c16b7d97ca046c64a1699d40d1c8172d9360f62c386341b715e77

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    1c0a421052c79dafd7eb62a24261a050

    SHA1

    cadad6d139c589861ea1312c8023cf705d441451

    SHA256

    547c92d8cc5f75dc6555b6732c6beb428bf7f476dfe9d6dce221161caa0a6bfd

    SHA512

    15412842548eb60562fd7edfd27c904bee736ead239903d56633d5ea91f7fa36369523c7fc2f9859e144feaec71deb5c21b1e1df5a91699670efc91bcbad7267

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    0788dd688043eb89fae9975387d0db57

    SHA1

    4c4f030df37ab6d34786f22e53901486d455f349

    SHA256

    42ff08fb10e822e45b13501236d07cf196aa73f3a19efcd4d66338f0a0de24c8

    SHA512

    8b0d4a88085102a38804ecc0304561f7626dadb6ab0f8c80abc009cbd12b36ab539d16d26fc3e7c37987094007bdd0f35212b380e81117417efbb06031f80676

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    51509a486752b8e1f949342d3e64ee9f

    SHA1

    265c3eeca011ac8eb80d3ffde7c6e1fc96fef00f

    SHA256

    5f9aaed3d7fea0f50714d6e10906aaca78d0ba15337d946ce07134d7d76c1750

    SHA512

    6aebc1e7729b59bd31a23ef422103a80da5efdde68d8a35275afc257da1733cf647c11af8695938ce59b21181d2424ba4b0b8da870e4edad6256cb36fa311c6d

    Download Submit

  • memory/1828-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1828-155-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2060-131-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2220-139-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2220-135-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-146-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4236-124-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4768-120-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4868-153-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5112-113-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download