Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
26/05/2024, 16:52
General
-
Target
154fa8c9e1e726c6ab588f42e8051e90_NeikiAnalytics.exe
-
Size
66KB
-
MD5
154fa8c9e1e726c6ab588f42e8051e90
-
SHA1
c7b24b1919267764736bdb29913c6d6cccc413af
-
SHA256
f8a266fe5a32ad3ab72fb5010961ca86335a4d67ea0d8ce2abc812c7498777a1
-
SHA512
02f5eba16dd3b2ab0562ab2416bce0ae3dcdc3563c731a05abcd6d8ed4c03a02302b8db4e33f2e1ddc02c344c3345785021bb615ac80628e526a9b64886eb8e9
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXip:IeklMMYJhqezw/pXzH9ip
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\154fa8c9e1e726c6ab588f42e8051e90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\154fa8c9e1e726c6ab588f42e8051e90_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 16:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 16:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 16:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD56ad40b76907eb6190de07876ea3ab546
SHA18364da9b01e2d947edd740c9bc6ae56bba6b6256
SHA25668380e38956ed194185fde9d02c8ef92b6f79556996bf63836f86bf628daeeba
SHA5126c4ce68827a13f493ac875d425a072c9bee3f0be1ff34090a6f337cf05bef86f9e14f090e2f106d265772740096c304eea0dff0d92f5e9c7e1e38a33c3275512
-
Filesize
66KB
MD55e4c3538435e01bb4ef77e18623de615
SHA1aee84c2a4624540b3b4efd11087f426fb04a7872
SHA256efef0fac542163a5883e5271f7c464c1e8e4da1c8ea955d8f7d80ccf5b9a0516
SHA512ba1007c7437065bf1b379b07a4ae6db9fdd82f0dba98df869a6ca50a6dd96923a6feca33442c1eaba263be5ea807ff4a808a24f438f6350d1563a58be45c9101
-
Filesize
66KB
MD52cbf5510ff126f6db70881a7cec0737d
SHA18b20a596f25b0d4a5dc2c2309f2570b5a81e06f3
SHA2567d4404821ae7b2a1fade65c7cd7885e0eb6a0a640375c2b39891a5b8134d7578
SHA51288ad825c8e2dbfc5311dfbb4037c1e4f50fb0a06513e405df5500524d7056cf991283a6128d5b8eb98f09636a262e07f4208bad2bc53b2ad785d4ab3906283bc
-
Filesize
66KB
MD546e4898798067b58f4b1b51a29a4741f
SHA126ff7051aef3e68451686ef8d3829d9b75d64234
SHA256ccaddbbd91ba6496d5e225a78212caf055260994d7b219cbc3e5003f2a88c97d
SHA5129c2c6bc78cce01f74c4022387dee7190bbb5d8fa78826de6a102464db5c63ca06a71623c0671b66555f013d241e2a45964229a34f746cadb3c439a349813156f
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
1.3MB