Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1b2e6863d5...cs.exe

windows7-x64

10

1b2e6863d5...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b2e6863d541a4c2a37e06818c529d40_NeikiAnalytics.exe

  • Size

    97KB

  • MD5

    1b2e6863d541a4c2a37e06818c529d40

  • SHA1

    2800b6a11e190be6e5cb7822f58470ffc19d75d5

  • SHA256

    8e4605ce9403ff902ebd6c92a15f2f15be46967c43217b4ee3c9021d826da3d3

  • SHA512

    1534d59c08e4ee51337fab8c301d32d96dc82dd1e26513cba95446164cda4d3e158ce2df2b1200713040f5987cd48f88915fb73163bca540ae23a1018982b8e8

  • SSDEEP

    1536:4a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3YdoIe:J8dfX7y9DZ+N7eB+tIe

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b2e6863d541a4c2a37e06818c529d40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1b2e6863d541a4c2a37e06818c529d40_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3000
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4900
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1096
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:216
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3660
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4408
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2252
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:752
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4560
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1648
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1472
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2648
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4004
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1b2e6863d541a4c2a37e06818c529d40_NeikiAnalytics.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:3052
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recycled\SPOOLSV.EXE
      Filesize

      97KB

      MD5

      5dc51e80ead84084984042dadd0343ce

      SHA1

      af231df0ab7521b7f284c3df7505b03242fc66df

      SHA256

      2d7ecc7f94751c2e87e0fa5f6d24f8c97284a788af64a89bbf07581a840f6f88

      SHA512

      a99ce195c3b292bd9e9908544cd3a45bb3018305ebd7574aeb56abc7314465ee9913d51bf6dd6b150d48dcfdf2a56c451bcaa13c1dcf48711c82bbab93fa4991

      Download Submit

    • C:\Recycled\SVCHOST.EXE
      Filesize

      97KB

      MD5

      fb759c328fc0d3dc417546948c5c63bc

      SHA1

      68940f7db16a58c972dd402a47cd40e1e70446a4

      SHA256

      4a75c95a6609154023dbae2f75b612ac9606dec19c5d786553858ddd3a5e8f72

      SHA512

      cba7c47c150bb14bac75f2dee6f5512e0b2f906741f2e74dbdbd36a1c5248c485e415022d2dc9867e923a708a6b374434a50a587d7de366f3511d367de74e27d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      2KB

      MD5

      1a1dce35d60d2c70ca8894954fd5d384

      SHA1

      58547dd65d506c892290755010d0232da34ee000

      SHA256

      2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

      SHA512

      4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      97KB

      MD5

      ef8d710bbcdc4c01f008cb1cdf0ebe10

      SHA1

      ad179a59ee5255c8594e39ab4c440aedaebc75d5

      SHA256

      a1e8897676d0544187100531c9edf9a76083f9beeea7552cf938bc287b57d5e5

      SHA512

      05608d46195c4dfb68e51dba51f693ed1a7da703364039e17e3ac0947b3a9345c510785873f9766edc7e85bed19011c55d313f3e489685d58438297e2c5ec7f3

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      97KB

      MD5

      07d9e20b9dd9e07a67877d170ef843c9

      SHA1

      233a1da14e5439fe4960b214361bf7b6d6d17eef

      SHA256

      4e589ec831653b8266f7fed479509db427922a954f46fee8ef9b40645f8a9f3c

      SHA512

      fa0ce234f8b49b2e5428737ebdd2c40c2fea5cc583ad912f359e87ead3e7cd4671d5e596109f5fff302b71a9d6489b0ff2e7609b73202d4538a32714d0cb6366

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      97KB

      MD5

      8448dc6cb863665d6cc9a9bc358242b8

      SHA1

      16529199dee55e944e19dfdab1512c99c861b1a5

      SHA256

      df578bcb5e7fef87e3ff0a32335f2c405a15671f9d14f7d80df8d24dcd05b56a

      SHA512

      7eebda1b4ee951cf6a2cfdaa57745fac4239032df75ea4a64b756d87ff1c121f43b69081f8ceb118b1cbdf9b11f0678d6c9379fd543535b47516280826a09ed3

      Download Submit

    • memory/216-50-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/752-77-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1096-47-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1472-92-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1648-86-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2252-67-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2252-70-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2648-96-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2860-32-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3000-33-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3052-111-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3052-103-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3052-106-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3052-105-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3052-109-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3052-102-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3052-104-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3660-62-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3868-107-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3868-0-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4004-99-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4408-66-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4560-82-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4560-78-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4772-19-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4900-44-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download