Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9138918724...cs.exe

windows7-x64

10

9138918724...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 06:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91389187245a78e6a420a1c73d405ff0_NeikiAnalytics.exe

  • Size

    3.6MB

  • MD5

    91389187245a78e6a420a1c73d405ff0

  • SHA1

    edb9db038f604bdfc6e53f528edee158f58844d5

  • SHA256

    575995769c6de77768b0e90534a59d932562703fb72c90ab150bb94171525807

  • SHA512

    cc701b19929b48c830de016e921d9bc098376d42b2f48f32ff6d9cce4a10da20a09324dd2dc8bbf741b61bb2df99bd7e708e2b8af70a2c1a16f9874b3853a426

  • SSDEEP

    98304:ddByXcdnlLwOrI5Vfeg91hZOhkRpsinjB:ddien+OrFuBR6cB

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91389187245a78e6a420a1c73d405ff0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\91389187245a78e6a420a1c73d405ff0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3404
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4968
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2156
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4372
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2708

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    3.6MB

    MD5

    92ccee738ede9c6ba9bfdc4c14ec4386

    SHA1

    8dbb0a9c3ed039ba02f517f1368081f96f49e3a7

    SHA256

    dd4e27699a90e13dcdb775e17ca8e103d54ee0f30eac259271189fe443d17f56

    SHA512

    37c99d73bf2c55493eaecee05d79763225f36ec2d88b1d48162ef481a3186994116b74b51df6407ad636ef732a29bf1c8ca5dd64a14376e2cb0bb18b939938b3

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    3.6MB

    MD5

    6721c976f027b90d680104cf47c84013

    SHA1

    bc46869aac36188cff318cad27a0571f48fad286

    SHA256

    ef4ffdf831fa6d63e89c4cf1e8cc5756d7b5b0e89431b90f1668831a53915eca

    SHA512

    58db91fdb346df2b0af6758c4d68f422a016f0ac60973e8ef40d06b0a82b9faec1f1e9779ad0b2912d40c7fe637c526eb5bf794f928d5db5382083e6aab94192

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    3.6MB

    MD5

    e8b96ba6317245685d259a463fdc476f

    SHA1

    51a0c1b4a8a462f7b063cca1792414833771a5d5

    SHA256

    5fd60c97116bc0e5d886d2326e8259019bce04afa8129689c7cdc51e7a69e4f5

    SHA512

    b62195016daf497b600dd812172dc47e9b04bfcac9a0767202298a95d4ff38fc8c13f3d978ae7802c95a4046a7c9a61dfb1c3a96c3bd28f19897b5e09880e2fc

    Download Submit

  • memory/2156-40-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-37-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/3404-2-0x0000000077C53000-0x0000000077C54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3404-1-0x0000000077C52000-0x0000000077C53000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3404-0-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/3404-41-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-51-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-63-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-71-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-43-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-69-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-67-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-46-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-47-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-65-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-49-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-28-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-61-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-59-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-53-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-57-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4372-55-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-50-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-45-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-52-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-60-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-11-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-62-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-54-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-48-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-56-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-66-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-64-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-68-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-44-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-42-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4968-70-0x0000000000400000-0x0000000000784000-memory.dmp

    Filesize

    3.5MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.