Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28/05/2024, 12:53

General

  • Target

    44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe

  • Size

    843KB

  • MD5

    44a951475bbf66cefc34b1fc3845b580

  • SHA1

    20dae9ecb9278ad5e7c518a276f8a594edc5a114

  • SHA256

    9221fcebfa4240f4267240bceb4744a30033ffd50875cf2af562f9da2f5240a1

  • SHA512

    c087b652a9b2283813313d27fdde4f26705764136b40b8c485fb95a806e1f5a47239ffc87651714f6287e5b93d06a3b752415c0984c1bf835087aeb3be6634ab

  • SSDEEP

    12288:TwKfOVRo9yRYK42X5sUSF14tr4O8b8ITDnlLvAYrIw6E:TxWVeyRYK4s2hzM4O8b8ITDnl7CE

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2148
    • \??\c:\program files (x86)\microsoft office\office14\infopathom\microsoftinfopath.exe
      "c:\program files (x86)\microsoft office\office14\infopathom\microsoftinfopath.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2348
    • \??\c:\program files (x86)\common files\system\ado\ja-jp\operatingmicrosoft.exe
      "c:\program files (x86)\common files\system\ado\ja-jp\operatingmicrosoft.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2252
    • \??\c:\program files (x86)\adobe\reader 9.0\reader\browser\nppdf32acrobat.exe
      "c:\program files (x86)\adobe\reader 9.0\reader\browser\nppdf32acrobat.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1204
    • \??\c:\program files (x86)\common files\microsoft shared\source engine\sourceengine.exe
      "c:\program files (x86)\common files\microsoft shared\source engine\sourceengine.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\System\ado\ja-JP\RCX21A6.tmp

    Filesize

    845KB

    MD5

    e3f5d21ee8e755592f316b155fe3c7d2

    SHA1

    bb46f1e95a85e75116723fde8b5467ae96abcd56

    SHA256

    b3aabaa0dbdae465cdb57c0420ebb4071ed66b2a7d83b388d6d9e6ed889f3c34

    SHA512

    a6a6ed91f3513023da3533a267d9b2bb7e89c29aeadd78be50971da56c8353f9597b8b8a320437e9201e32d29a8a98e9bfc948019a5104cbc43f29211d491afc

  • C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\MicrosoftInfoPath.exe

    Filesize

    843KB

    MD5

    44a951475bbf66cefc34b1fc3845b580

    SHA1

    20dae9ecb9278ad5e7c518a276f8a594edc5a114

    SHA256

    9221fcebfa4240f4267240bceb4744a30033ffd50875cf2af562f9da2f5240a1

    SHA512

    c087b652a9b2283813313d27fdde4f26705764136b40b8c485fb95a806e1f5a47239ffc87651714f6287e5b93d06a3b752415c0984c1bf835087aeb3be6634ab