Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

32629ce1f7...cs.exe

windows7-x64

8

32629ce1f7...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19/05/2024, 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe

  • Size

    64KB

  • MD5

    32629ce1f77416657b7a279dd5d50790

  • SHA1

    e1c7943e2ae5f6502fdd16cab61f606e605befe3

  • SHA256

    220a3e41da75327c03a554dce99936da7bc6ee906ab79e0372a6b728b18e319c

  • SHA512

    ce1d663e5fa1fdb35b2ad975c46d55a1bf10bea717fe2608475ca5fc6199950407a28fbefedaac29a390bfd240eaae682e80ab7e741ebeccf0deec0c54a0a364

  • SSDEEP

    384:ObLwOs8AHsc4HMPwhKQLrof4/CFsrdHWMZw:Ovw981xvhKQLrof4/wQpWMZw

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
      C:\Windows\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe
        C:\Windows\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
          C:\Windows\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
            C:\Windows\{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
              C:\Windows\{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2908
              • C:\Windows\{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
                C:\Windows\{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1492
                • C:\Windows\{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
                  C:\Windows\{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2412
                  • C:\Windows\{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe
                    C:\Windows\{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1236
                    • C:\Windows\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
                      C:\Windows\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2664
                      • C:\Windows\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe
                        C:\Windows\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1484
                        • C:\Windows\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}.exe
                          C:\Windows\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2392
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B9B14~1.EXE > nul
                          12⤵
                            PID:916
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2EBAE~1.EXE > nul
                          11⤵
                            PID:956
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{15722~1.EXE > nul
                          10⤵
                            PID:1900
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2AC62~1.EXE > nul
                          9⤵
                            PID:2208
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{101A7~1.EXE > nul
                          8⤵
                            PID:2200
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{8A434~1.EXE > nul
                          7⤵
                            PID:2184
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9546F~1.EXE > nul
                          6⤵
                            PID:1628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{20EE6~1.EXE > nul
                          5⤵
                            PID:2756
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F63C2~1.EXE > nul
                          4⤵
                            PID:2192
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2FD3B~1.EXE > nul
                          3⤵
                            PID:2244
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\32629C~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:2068

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
                        Filesize

                        64KB

                        MD5

                        61fba7536c9b0ff973be06d896700f0e

                        SHA1

                        24f64e75cc5c7f48ac20ab211331a98eb8fe11de

                        SHA256

                        ccd246d3f115494e400b3ecffdbfb884a3345e18d6c3c906a3a5d2985f4c28e3

                        SHA512

                        33c05f719644d8f597e5fe90c7861b2c39ee605142780c1d38ab35025e60efce303c56b46d7f08834950e16a4293127a77bc094f7ea47e54b378f6762b792258

                        Download Submit

                      • C:\Windows\{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe
                        Filesize

                        64KB

                        MD5

                        3cb655e546faa728349de2a62ecabe74

                        SHA1

                        3995f00ec6d1e9302b63befcf47e2dc342717273

                        SHA256

                        95cff6c821e1a6c60fd90edc169146f28138aae81b224c0dfbb250fc74c0ef10

                        SHA512

                        a788bcaa82c091b0777fe4e3edfde54161351068db871087070839fab4a8d466eeba2724092c6829638a8ac5cfc2d0f82cd10cb3a225d8fde754122c738d76b1

                        Download Submit

                      • C:\Windows\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
                        Filesize

                        64KB

                        MD5

                        7a3cd0c67a34ff1333e8849ba22b4c82

                        SHA1

                        61dfa270d47cf3eb68693941b66aded0e09b7e94

                        SHA256

                        f82f2f89ba2f423168d2f563fb46d5ca3aa46e73a0e6e4d6fce8682f72057d6c

                        SHA512

                        6a34279035d656de3f9f33787357b9133eef1d6e6e9c701764a16eacc94a6b4731fe092903317872dcb7bda5c2879f8992f33dd857cc037a08b04629d21c2cdc

                        Download Submit

                      • C:\Windows\{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
                        Filesize

                        64KB

                        MD5

                        99c5dc7cf5cd01082177445069fd1642

                        SHA1

                        542ed16ec1730dec908d50650ca8fd140dcca3c9

                        SHA256

                        d24b22a8c9906c4170d04aeb67a36f8a535876e2975271fe7cc8310a862ac534

                        SHA512

                        de4b29e128dc1db780f23a334062affc50058e6f833a04e0abe0a871fd60d76f10b5666188c03b111b75768ab2304f169640e3aac809459ef4a9c98dc721d363

                        Download Submit

                      • C:\Windows\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
                        Filesize

                        64KB

                        MD5

                        f594ac58d8df39974d6533cde3b166d7

                        SHA1

                        e75b37b67a0bd94db919bafc88d86013818dd7b6

                        SHA256

                        a45791dc3ff567731d359f745200d1b60908f34a0c5f659a2dbcec3d067b4568

                        SHA512

                        072507f7b011ddfe662139eff23e017fba1740aaf20c31f3d65fab47d199ed59925a3fa83da86cfbfcc38c76102f200581eb6137484615cc2ea7e1ab9fbdb9a2

                        Download Submit

                      • C:\Windows\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
                        Filesize

                        64KB

                        MD5

                        e0099d37a9be947d85b7e62b8c7a8d28

                        SHA1

                        37c6e114892314ae1984ba8e006d96ed10fa2780

                        SHA256

                        155b58258ccc04ff5a125c55f77e3e01df96605a65299b51c07974b543543d09

                        SHA512

                        ab7e0fb7aef95c2f2954642efd7e7a80390d38298fb28537121f0b82a3aefddb05b003ed1d3c30bf60cb0055c95beeda6b22aa7d5766f9bcae5529cb15bf78af

                        Download Submit

                      • C:\Windows\{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
                        Filesize

                        64KB

                        MD5

                        73c8fa03dce1ccde76f8368f3911b963

                        SHA1

                        7838a86b45838ec72b70936a83db362ba6fe9ca3

                        SHA256

                        66b13a9d6133df0bc6de59d0ac89e67e425484bf245e7058c47519b10c83db89

                        SHA512

                        105ed9330f58a8b9d6484d7549ea46d0b8b8df0c1426bc5ae70207400412dba21203273f7f69995adba67ea6d12aa29e19c22077e5585660870c52d1b04b44bb

                        Download Submit

                      • C:\Windows\{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
                        Filesize

                        64KB

                        MD5

                        aa50d162e54db801ad070c5d0d26f824

                        SHA1

                        73e7ce4de5142b90fdb3951ea326f40bf7409ca0

                        SHA256

                        82877e2839cfa36c4050433be189604f7f8416c85c905a9d93a32a549a7235a1

                        SHA512

                        eb29fb3dcd5ae7d291d9f8b7bb4fbf39cb251637ba6f767b00bb722614e10d692c2dfb93159a9f7d51b610d763c411fa5f639920f3bc9405fe45164388a4e4f4

                        Download Submit

                      • C:\Windows\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}.exe
                        Filesize

                        64KB

                        MD5

                        b18ab5f2256af9642173ef706e8df8b7

                        SHA1

                        2997e390884953422891e009ab413fa2a66f67dc

                        SHA256

                        0fd5647480d9171a97959f6b4638c6143ba85b5bba0832a989f077ca5c155eb6

                        SHA512

                        6a9eef2f4db834573d4653c29f97283755e31fa24a682dc8d365ebf2623a1ff887c2c4af8132ee8818a86e1abb87a0aa9cefda668029e12ea4cbacab4987b756

                        Download Submit

                      • C:\Windows\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe
                        Filesize

                        64KB

                        MD5

                        dded16324b20acdf2ff2a2ebcb86fee9

                        SHA1

                        d2f78bea54a4c3f4a7f52fe0261c5f55be534d8f

                        SHA256

                        b941247634103973a61c6ae79e5084b105b1d616c1ddc42342b2b1e7abdc5a43

                        SHA512

                        f5756e7bf27a6f088efca06822f5fca6e4864a5b0f2eb12a32c64417313b9940422e6c2a36bda8ff90ea5019049b843f3fecf93d139958b8c8509f6aaa61433c

                        Download Submit

                      • C:\Windows\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe
                        Filesize

                        64KB

                        MD5

                        4cc5ee7e6fc5773ff6df2d273a16cf3a

                        SHA1

                        121203c92fdd1aa53d1573f59277e57f9c7d8514

                        SHA256

                        1216e8b8ad26b9cf47619ffe53a4712318e804e95219e22dcd272031e4913d94

                        SHA512

                        0298ae5f6bd440231dde49b93db447a1b2bd115582c9c3a59670202f8c6eb93b3a9f2040322a5e8445858723a60ea3b9215a3e942d898c1ac8a42a48339d338e

                        Download Submit

                      • memory/1236-78-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1236-71-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1484-95-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1492-54-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1492-62-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2344-17-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2344-9-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2412-69-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2600-28-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2600-36-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2612-7-0x00000000002F0000-0x0000000000300000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2612-0-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2612-8-0x00000000002F0000-0x0000000000300000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2612-10-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2664-87-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2740-37-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2740-44-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2908-53-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2996-19-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2996-27-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download