Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 04:28
Static task
static1
Behavioral task
behavioral1
Sample
3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
-
Size
144KB
-
MD5
3e76863efc9b779e7d4ff799df65dfc0
-
SHA1
45dbf8b77811d1c366fe33860fa6e587e1f6b85f
-
SHA256
11d1c8debe5780af021f2e446cc3723968ef92424bfe56bedda1067f5956f1fd
-
SHA512
f4b0ea61fe68b6927df14005aaa84184d97465eade929eecb70e0b511b4c3d21029f0d6c6f10b86da1cdde880d6176fd6baf751fe1343c3597a485fed9a62d59
-
SSDEEP
3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 592 WindowsService.exe 1360 WindowsService.exe 2540 WindowsService.exe -
Loads dropped DLL 5 IoCs
pid Process 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe -
resource yara_rule behavioral1/memory/2624-446-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2624-488-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2624-1034-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1360-955-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1360-1041-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2660 set thread context of 2624 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 28 PID 592 set thread context of 1360 592 WindowsService.exe 35 PID 592 set thread context of 2540 592 WindowsService.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe Token: SeDebugPrivilege 1360 WindowsService.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 592 WindowsService.exe 1360 WindowsService.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2624 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2624 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2624 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2624 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2624 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2624 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2624 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2624 2660 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 28 PID 2624 wrote to memory of 2532 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 29 PID 2624 wrote to memory of 2532 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 29 PID 2624 wrote to memory of 2532 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 29 PID 2624 wrote to memory of 2532 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 29 PID 2532 wrote to memory of 2852 2532 cmd.exe 31 PID 2532 wrote to memory of 2852 2532 cmd.exe 31 PID 2532 wrote to memory of 2852 2532 cmd.exe 31 PID 2532 wrote to memory of 2852 2532 cmd.exe 31 PID 2624 wrote to memory of 592 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 32 PID 2624 wrote to memory of 592 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 32 PID 2624 wrote to memory of 592 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 32 PID 2624 wrote to memory of 592 2624 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 32 PID 592 wrote to memory of 1360 592 WindowsService.exe 35 PID 592 wrote to memory of 1360 592 WindowsService.exe 35 PID 592 wrote to memory of 1360 592 WindowsService.exe 35 PID 592 wrote to memory of 1360 592 WindowsService.exe 35 PID 592 wrote to memory of 1360 592 WindowsService.exe 35 PID 592 wrote to memory of 1360 592 WindowsService.exe 35 PID 592 wrote to memory of 1360 592 WindowsService.exe 35 PID 592 wrote to memory of 1360 592 WindowsService.exe 35 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36 PID 592 wrote to memory of 2540 592 WindowsService.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BRSPY.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f4⤵
- Adds Run key to start application
PID:2852
-
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
PID:2540
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157B
MD5f6a90c20834f271a907a4e2bc28184c2
SHA136c9d1602b74f622346fbb22693597d7889df48d
SHA25673f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd
SHA51239cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804
-
Filesize
144KB
MD500657b45b436382477e182bcf8dfd69c
SHA12e6ed210351d59d97c8c7feeb0a1f0008c9d4528
SHA256d3f5825e3128fb8515fa4cfbb53066b1c123fef674294a02f5ebb2375b0c6d3d
SHA51287b81f24ba23faceee7e351a196cf73806c59822e0197dc1ed93655507e163cd972700b0aa40962dd1654988db767802401d6fd1d4b8511439b4b7dd8522efef