Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

56c3dabbbd...cs.exe

windows7-x64

10

56c3dabbbd...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56c3dabbbd485afe3acf887ae7e16800_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    56c3dabbbd485afe3acf887ae7e16800

  • SHA1

    d76794906b1d67a37b9eebd6930bfcbf96650307

  • SHA256

    10ce4f31a43caf61cf34e781a0065709db62134b777713e7e0b5fb0bc2c996c0

  • SHA512

    ae25ce7bf009625272bf4712678de75b886f73eeff28de7b3f22d2936d5939d7c68ca00c4e087079255f0dab50112f755ce70806ad9f95b5fd8d4066ebfe0c3c

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuGFFFFFFFFFFFFFFFFFFB:7WNqkOJWmo1HpM0MkTUmu8

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56c3dabbbd485afe3acf887ae7e16800_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\56c3dabbbd485afe3acf887ae7e16800_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4768
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4728
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3540
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1800
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4208
          • C:\Windows\SysWOW64\at.exe
            at 23:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4384
            • C:\Windows\SysWOW64\at.exe
              at 23:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3020
              • C:\Windows\SysWOW64\at.exe
                at 23:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2492

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          f351475a9f3ca18319cbb24a0e5f5cee

          SHA1

          448acce1ea85c0624c3df7559acc9b6b55907e7e

          SHA256

          f5242bdab5982555038e212a3d7a280240e7e2fc1a7aa678a7eb5e8ae81d7811

          SHA512

          29d54311c6e442819e73f2a249ed6d7d8e726559bd7b66ac812414771c48d01523f67df377bb87aa06a230f46cde093ad8e9b5733e831c0d2a5643f427bdb339

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          65KB

          MD5

          c4498008963f5d15ef51547766338320

          SHA1

          8da83349e4b1601e50b77d173134694477994f9f

          SHA256

          4dfebef0f764ec11adf3d9d2566f5c37be1224188e1d67047268519c9e57c24a

          SHA512

          65ce1d96d12af2d432a2b5b7a75e4319f588a8627a754169a285447a5e351344b1c83f3cb1d9536948a6ba5c302ececfe0a2ba429ec4bbe8c02f23e4009cbc9a

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          ef6a6005b05878b0d7a691a47565e3ec

          SHA1

          03cb9fa4506648d91a3eb3155cc72aae0519e761

          SHA256

          11ffe4189eaa22053a46a9ab522b80eb8dc941151a0fe708729ccc4e6f15f469

          SHA512

          439828d868440b1eaee173113b2c8059cf24c0577e52ef5570f2f1274afee154e94c078a963008c6f27256774205d702fafb332da85aa190c2ffebd99214a16c

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          65KB

          MD5

          2acbdbd04283e21e8d632ca508b9238b

          SHA1

          b4d0426a910c143c91fa675fb7ffbdeea2401895

          SHA256

          01b80570d440acddfa68b37a1d83d4c842f8d3782ac6ea848d98273aa477a647

          SHA512

          24c5d46fd7315527304816bea2656f04bf537c88024a7ac7078fa5ef13327660530f7ee1587bf1e82f0a331811e5328627e0a5d6b3e2e855259b9c8be4d5379f

          Download Submit

        • memory/1800-62-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1800-43-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1800-38-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3540-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3540-27-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3540-31-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3540-26-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3540-25-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4208-51-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4208-45-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4728-14-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4728-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4728-12-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4728-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4728-71-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4768-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4768-2-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4768-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4768-58-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4768-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4768-57-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4768-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4768-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download