Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7c497a15d0...cs.exe

windows7-x64

10

7c497a15d0...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

  • Size

    204KB

  • MD5

    7c497a15d00cc46f9ca2fd89426e2ce0

  • SHA1

    2a02c3973f728924f0e4bef7a19ace72e0c1b467

  • SHA256

    76886fc56486c6f7d908a29f63bdd1abad67d0ea6b440acd757ef3950fb301b6

  • SHA512

    a275baf488852d54805c664424617e376ac48c34437f24693c59092416378182d7615857efaa17bb53e4a6416ceb4d6b6b786fd5fe84c39dc40a8d62673ee2e0

  • SSDEEP

    3072:m/5F/E7tEf0E+p+tYlpJH7iXQNgggHlxDZiYLK5WpYMGmUXNQDaG0A8+:mhF4c5+wWJH7igNgjdFKsumUXG+i

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 18 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1760
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:436
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1728
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2812
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2644
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2320
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2288
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1552
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2880
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:992
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1136
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:700
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    aafd046578cb24bada7abb1a9f66b72c

    SHA1

    e87fa379e8c42c1ba3dec76546887d235340194c

    SHA256

    623bd7009f7da1f513d6b768e6a7ef6c1aa593195bc3f0c70d08e51444437f27

    SHA512

    22f6c42189ab58d3e4b3a962f11f1cfff25ccfcbab0d8698e2bdfe334ee8a77a802fd714be2048a4afd001d68ff95e70bbf5aebdfe125f19fab61ee367426f3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    9098e8aa54dd56f6cc63881ca896e9b1

    SHA1

    32981bb96fa63e84a236f89f93f4d61079a85a37

    SHA256

    3880f2e0fd91b3429baa0caf0353303f72c60d9f54b186b15e348ba7d9ada335

    SHA512

    991e53287e2360b230f69221913afa9b8abbab9fb0c707b46b263671e89eaec679f7afb3dbd4f099da31f2b320519909c37326721b88d5925516255c7533a4f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    204KB

    MD5

    7c497a15d00cc46f9ca2fd89426e2ce0

    SHA1

    2a02c3973f728924f0e4bef7a19ace72e0c1b467

    SHA256

    76886fc56486c6f7d908a29f63bdd1abad67d0ea6b440acd757ef3950fb301b6

    SHA512

    a275baf488852d54805c664424617e376ac48c34437f24693c59092416378182d7615857efaa17bb53e4a6416ceb4d6b6b786fd5fe84c39dc40a8d62673ee2e0

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    204KB

    MD5

    f977012a85ddbfe872ddbaee3b8f0fa5

    SHA1

    481575953e92ecf30b5d9fc9b8c81fc59636bbdc

    SHA256

    2124a280b194911097a3e95268ed090714c28da69373c569f6e9a51581f4dd2e

    SHA512

    6f756aa984e1715e73a55b176db6bff47661a14b1d81de700dd309f18d3684e79d6b64f3ae69e16154831df8b3e023eca88df2f2741b9f7f91741a78ef286455

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    204KB

    MD5

    1d7892b674e7a7b6d2df90c014595e6d

    SHA1

    20a19ededff99b9e74b2902593bdb44413739f49

    SHA256

    b171973f53afc62276e8a377f9f488442f2b2ad37fe73907f5f2cf6136135769

    SHA512

    67cdaeba41fcb128d62968df1a903a860bd0430ebae325d6b72ae088bbea7363b4ee46b3314dc0078ea03a1fb8b1325b540ea21c89979d28c673ded1c51eced0

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    204KB

    MD5

    d4c3400ef59b9456cbd0effe8a3565de

    SHA1

    1afdd69812fa3057c44801400bf46118f9a9b773

    SHA256

    23d27681ca46641b5175d9efe154193953ac823fe1d79acdb5bb6f46a8581a89

    SHA512

    0dd9749ce04883bab05c0afcc9add779746e7f3e9ad2ac6c26c26014e0bc9de2009a27641c40fe38d7710a8bf3b767a2ea95b2dff8f26f7313ba3d89c92b7666

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    204KB

    MD5

    c1f4e44a1c3a56ed7765bb6abdb0c5b9

    SHA1

    ba835ca5d00686d21749892db75414f241e9052c

    SHA256

    bae036d0bf81dd9a2142ecb81e5cba6852e8cff3c0cd608e5f4dbfc950b31c49

    SHA512

    c34e1b3740c12559d6a4b02de55dca8d49184560ce80c6a9610ddc2b658762c2db5fc87f340a241a4ad9d684058e60024bc9d9de6321bb63ca59f7792a78b40f

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    204KB

    MD5

    c8ffd8e8c7750f2f9fad412e979950ba

    SHA1

    b216814caeaa34f60a7e362b2f5a00ca24c23a5c

    SHA256

    ffc7d97da44e7207f3c053330ead246a6fa7757bcc4f4b718ef0d88b5ea801d8

    SHA512

    2670a94e54aec6287d61b0bf7b83d9b6cfbf9572c6ae5a7400046af577afcd7b9ac8416e0c3ed132c4d7ea02fb58ce40e9af93a084c4777ad361d1de0b6abe61

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    204KB

    MD5

    09adba7d8e9c0471a1f881b745c8b6e1

    SHA1

    6dfe549094b280531e21f41aedddd0b98c5bf954

    SHA256

    79816853a2cd571746ba76fea7eac322b7d8c99c051023e86599367fd7a780f0

    SHA512

    ae600894759f05514653179305fa83cfe9b02ea19e7b769aa39f03eda7fb90fcf999e5ebd5fca9ea4fa2f71a2153207b46b87c56687738ed93b5389d2658f7d6

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    204KB

    MD5

    18946de5f197116082b6ae9695370842

    SHA1

    70c5d5ebf93e90a51f617ead83d7951b004f88fa

    SHA256

    e6b2cd4fd17328df7fc1720181438d6ecba7a564bf6d25cdce81fe66d701bce5

    SHA512

    d3f27901018b91f52a56df3bdd719d273941c2273056bb6db5bea8a1d6d6da24267653c499b532f9f3da3a3f3eaa8ca1ac94e561b4d38dc02fb76cca9207ad25

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    204KB

    MD5

    47c08599ad794f8077eeebfca9400ebb

    SHA1

    09ed83fbd5eae5f795a07d67420a964f14cf3349

    SHA256

    a90fbb75ca778c151de47c1861c005783bb884f7205f93ce2340aac58482d6d3

    SHA512

    b844700d4335c7fc26c7f6129a25e2bec38dab23925fe32adc0e34a10457fb5631f3c6f5417c2b76dfb514fbb7c985ccb53f168779c6337c47f7d098a09aabfe

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    204KB

    MD5

    5a7d6606cb5bed9980fb4cda1f6a9c72

    SHA1

    a40f053bf38e613d83c3b06b1f5fefd459335ac2

    SHA256

    f15c3bc058c2349bf204703fd2509d6d56b06a020de21685d08a328a1412fccc

    SHA512

    87f6aaa5edcf78d37a095c480b65fd408485abd08df80165f6083b9a3c57461736db46d6e5b5dcdb6c4cb2d5e265ec2742f11aa9a952d8ee60b44bf31e82140f

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    204KB

    MD5

    d0e14def386d32af8854526e3c2f15e4

    SHA1

    10551378aed1db638de64b0e20bea08a399a360b

    SHA256

    b3bb32bf45b22b0749e4d706ee3ec4e76c490c17d4ad112d7917461b0e96c9ae

    SHA512

    28376462993ae9b3ea6bc20dcc990c5d7cb4c14d32556de21e102a923f3b7dcdad99eb600617fb362d637bdc69406511a36cd6c9f690ca289db3240248b97aa5

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    204KB

    MD5

    f7b0fd70bbf648c3b5470f45eb22be71

    SHA1

    843a3c90312167f98b19839dac0ec8791c1749e9

    SHA256

    7ec73bef380751881f66a1b0b9beccd30a42dccf637dba79f76a765b4e633174

    SHA512

    6f90132ac9d6c54babed8537eb407f0ae587aa0529a665526fcd66e5163b021f1965da985e19ba7632065c1fbfd4cfd731572d6bd0f14a1c2745fb608771d059

    Download Submit

  • memory/436-114-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/700-277-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/700-273-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/808-301-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/992-254-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1136-265-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1136-262-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1552-232-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1552-229-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1728-125-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1728-122-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-133-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-427-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-426-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-246-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-213-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-206-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-106-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-115-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-146-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-140-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1760-132-0x0000000002400000-0x000000000242F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2288-223-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2320-212-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2320-207-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2644-149-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2812-137-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2880-243-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2880-242-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download