Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 20:49
Behavioral task
behavioral1
Sample
85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe
-
Size
71KB
-
MD5
85a2f3e1bbba2dee5f48b736b9c58110
-
SHA1
d3689b7dab0bf9973fa339308d8e17a3d9e15a42
-
SHA256
dfb251be37c23f16b9a73eebc3eb338926993d0dcf70578fd31c79105836d377
-
SHA512
5c201d6800e5c816b54a9e614910c90290970ab962454fda5a36af5b6e0d582f48aaf346704270ba9e2d4c96b1e6cccec3bfb11a2ca683062486d20e4822e2b7
-
SSDEEP
768:EXKeT2Si83nLt8tkGX8uxOHgRrW5YLKG9Y/HrSNm0kmG7xMsVAnc3yy85SBiLFMR:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+B+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4716 explorer.exe 1308 spoolsv.exe 5104 svchost.exe 3084 spoolsv.exe -
resource yara_rule behavioral2/memory/3764-0-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x000a00000002340b-7.dat upx behavioral2/files/0x0008000000023411-13.dat upx behavioral2/files/0x0008000000023413-23.dat upx behavioral2/memory/5104-25-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/3084-31-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/3084-37-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/1308-39-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x0009000000023412-40.dat upx behavioral2/memory/3764-42-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4716-43-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/5104-44-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4716-53-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 3764 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 4716 explorer.exe 4716 explorer.exe 4716 explorer.exe 4716 explorer.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe 4716 explorer.exe 4716 explorer.exe 5104 svchost.exe 5104 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4716 explorer.exe 5104 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3764 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 3764 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 4716 explorer.exe 4716 explorer.exe 1308 spoolsv.exe 1308 spoolsv.exe 5104 svchost.exe 5104 svchost.exe 3084 spoolsv.exe 3084 spoolsv.exe 4716 explorer.exe 4716 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3764 wrote to memory of 4716 3764 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 83 PID 3764 wrote to memory of 4716 3764 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 83 PID 3764 wrote to memory of 4716 3764 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 83 PID 4716 wrote to memory of 1308 4716 explorer.exe 84 PID 4716 wrote to memory of 1308 4716 explorer.exe 84 PID 4716 wrote to memory of 1308 4716 explorer.exe 84 PID 1308 wrote to memory of 5104 1308 spoolsv.exe 85 PID 1308 wrote to memory of 5104 1308 spoolsv.exe 85 PID 1308 wrote to memory of 5104 1308 spoolsv.exe 85 PID 5104 wrote to memory of 3084 5104 svchost.exe 86 PID 5104 wrote to memory of 3084 5104 svchost.exe 86 PID 5104 wrote to memory of 3084 5104 svchost.exe 86 PID 5104 wrote to memory of 4360 5104 svchost.exe 87 PID 5104 wrote to memory of 4360 5104 svchost.exe 87 PID 5104 wrote to memory of 4360 5104 svchost.exe 87 PID 5104 wrote to memory of 2124 5104 svchost.exe 106 PID 5104 wrote to memory of 2124 5104 svchost.exe 106 PID 5104 wrote to memory of 2124 5104 svchost.exe 106 PID 5104 wrote to memory of 3652 5104 svchost.exe 116 PID 5104 wrote to memory of 3652 5104 svchost.exe 116 PID 5104 wrote to memory of 3652 5104 svchost.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3084
-
-
C:\Windows\SysWOW64\at.exeat 20:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4360
-
-
C:\Windows\SysWOW64\at.exeat 20:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2124
-
-
C:\Windows\SysWOW64\at.exeat 20:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3652
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD55d560457605d3075c7a884c3fd3435a9
SHA12d7d99e934b6104222e289c7d8d2cee8865e4359
SHA256ef61af9443e5a133975a107d31eef0c1406804f77260ad711811961a864e52f2
SHA51240627302134d6decd3b6ae3b3e285e3dbefc0f1600f87b9975cbaccd4fe8d5c2a65d8ebb9a5f5f2f9d2bccd36af784620799c34dda2cce0b539fb39b57c448fe
-
Filesize
71KB
MD50d6f825c9cb818310835d17b9ba59674
SHA187e02a53c44aed3aab31722e728c952e2d625628
SHA25620305b02352cbc5be2cbd216321216cae0b55b2b0e04b1f9b438776a40abd5f1
SHA5127d27f8219dacbca417ec1642eca37045a334f50e0029a1fbb1a1660dbbc3e1c8dc6ccaa323418d53041ce1d3b9b9d8acccd998df40ceb81d8c736b1e61440546
-
Filesize
71KB
MD50127605e4cadc9581ec54f0cce6981a7
SHA1cad1375fd730361bfbff6bf61a32c244d3764223
SHA2568057d7bad7d138fdd65b528ec72734e67fdf97db58f72efc5ddd5747139ab93f
SHA512a03a5e622897c014be03c11682b8424173ea88d6ef47a1197ed9c401b5e4819d6df336c78d56c5ce65b0a3f6b5f9e4dd7f668f151e33dd9d390abdf04bf86ea9
-
Filesize
71KB
MD5ad33c328e313054703749f5e4ee2d711
SHA144184f2db17480106807326af2209fdd1f9e8e94
SHA2567f3bfe1d23471bd6fef692a3b8a785c7334f3e44d8cd1c1c70628b079666dc6c
SHA51291a075a2ed74e362155d79c38922f57fc305277de798e934ee5528584a75fd47fdb3def52b1c5ad22fed5f238f2d4eb0acf255389d4c1f1dfe43bcce40686803