Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

59b1984572...cs.dll

windows7-x64

7

59b1984572...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 17:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59b1984572c2ae6a7dddbf7b56738130_NeikiAnalytics.dll

  • Size

    468KB

  • MD5

    59b1984572c2ae6a7dddbf7b56738130

  • SHA1

    864b626f79aa3a7feaf04c95f20b37d02b18e1bd

  • SHA256

    15e502896e34d87921319a8830dc75d38580e5d15dcbbd9f9ee882efcabf3352

  • SHA512

    29b7089f232e74b0620b2245c40b314d64010d7ac0a11b4b4de49a3aa59e8eb1e28eae3b063bf31bcafff0d4a30375c48f1400ff133b6cefa45ed521a78ea25b

  • SSDEEP

    6144:oi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:7rHGPv5SmptZDmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\59b1984572c2ae6a7dddbf7b56738130_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2428
  • C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\rdpclip.exe
    1⤵
      PID:2008
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\3HteF.cmd
      1⤵
        PID:2676
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{33819f3b-2f8d-cfcb-0a23-a942879f9636}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{33819f3b-2f8d-cfcb-0a23-a942879f9636}"
          2⤵
            PID:2524
        • C:\Windows\system32\SystemPropertiesPerformance.exe
          C:\Windows\system32\SystemPropertiesPerformance.exe
          1⤵
            PID:2580
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\QfKeb.cmd
            1⤵
            • Drops file in System32 directory
            PID:2332
          • C:\Windows\System32\eventvwr.exe
            "C:\Windows\System32\eventvwr.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Q9O.cmd
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Create /F /TN "Vmvmshnity" /SC minute /MO 60 /TR "C:\Windows\system32\4434\SystemPropertiesPerformance.exe" /RL highest
                3⤵
                • Creates scheduled task(s)
                PID:1376

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\3HteF.cmd
            Filesize

            235B

            MD5

            062a70a540613ccad6ccc36c2fc3bad4

            SHA1

            268b41171eed8ed8ba456f1ab232c4a361cb3580

            SHA256

            949013822247389954fc49a7eb9d97a181c71f537b6f55028520a282dbd2ba43

            SHA512

            33e61038a1a13016efe99c571a2706b793c2154910c1721ec575c48f0c1c1494b5191eb1ba35694bcd9f12889cc9da2cae79491a4d03507355b3759bbb0884ad

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Ep42EDD.tmp
            Filesize

            476KB

            MD5

            153228f38b7d047bd7ed9039a7f078ef

            SHA1

            1617c0451b27429aef4ed28773792d800c50c551

            SHA256

            1fb60f285663b36c98a6f19bc3b746bac47fccb65345dda3930f2005e9013c73

            SHA512

            ad9adad67ac4e73175921625dd7ba443c0bcfcde29b0d5d11a5b102a4cae5894a3b665b315a06e895a7425d2ba0d7059d028bedb11e152130f9e0272916ad0d6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\I30E1.tmp
            Filesize

            472KB

            MD5

            21742bc4caa0ac1e8b6455577120e75d

            SHA1

            ace278985a191ae3d137a8fdea11d2f9dcd16710

            SHA256

            67e3b54fe15709c7203b0cff8c87d18e5b4906eb88046b7a087161d8f2136393

            SHA512

            a0e4b0b8ea6fc10532e78bebf7f69afdd41e37c3ff3f7104485550cf9cf1bce343eaa3c86aed6e15a10a2bcc7732084e3dc752884007859c139d43b75e386345

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Q9O.cmd
            Filesize

            148B

            MD5

            d505fee8f9f5d70b6f38032913c54476

            SHA1

            599f0db5596a7ebdf02025be00b08c0c1977e153

            SHA256

            9257b7244ef06cf07852c6956352601b4fe58458de56cc1d0ad8c81d0dd2f96a

            SHA512

            85a8a5aea794e37012cf88f50179d62aa2f1ecf90e2450b66b95c7211e86fe176f8e75c03410255eac977eeb4f2db4a6d476db602ad370601c64c1222a98f952

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\QfKeb.cmd
            Filesize

            210B

            MD5

            2e20cc90bc4c62f988423d79f947039a

            SHA1

            5c46df25c177197f4111957fe4384dd06516b67b

            SHA256

            f30659f15eaa6888ba686e2f0dae04c7e08744df600db843f5405bf037e6f015

            SHA512

            70d922472b00f0473b7b5b5d0b7a0f3b2a25345ad6a76cc04939bfc3d35b4ba33dc78b59667b3356e6a7c5c76978435671dfee19cea0512056660371faec03e4

            Download Submit

          • C:\Users\Admin\AppData\Roaming\5G18UBt\rdpclip.exe
            Filesize

            206KB

            MD5

            25d284eb2f12254c001afe9a82575a81

            SHA1

            cf131801fdd5ec92278f9e0ae62050e31c6670a5

            SHA256

            837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

            SHA512

            7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tonqjizj.lnk
            Filesize

            884B

            MD5

            bfb1704c58d6368e6fab0cceafd77d90

            SHA1

            976f912a5bbb02a282d26cb2a4b5c897cb91f98d

            SHA256

            23cb12ef4515da99e2733c9e3bfa5108abc4db55ed038c09b5f641d0cd566bba

            SHA512

            ca91398958fc957b0c700588013cb28cd63594e503b604d46023a2fb893b98f9227b95128f7d6b1a78af06edf4bc316fbe97f6ea77e8ca27df1edf04c7ac5dea

            Download Submit

          • memory/1200-17-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-28-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-11-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-12-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-15-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-16-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-19-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-18-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-21-0x00000000024E0000-0x00000000024E7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1200-92-0x0000000077726000-0x0000000077727000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-14-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-13-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-20-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-10-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-29-0x0000000077831000-0x0000000077832000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-38-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-41-0x0000000077990000-0x0000000077992000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1200-44-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-9-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-8-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-7-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-56-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/1200-3-0x0000000077726000-0x0000000077727000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-4-0x0000000002500000-0x0000000002501000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2428-6-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download

          • memory/2428-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2428-0-0x0000000140000000-0x0000000140075000-memory.dmp

            Filesize

            468KB

            Download