Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 04:52

General

  • Target

    3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    3a50ce1fdd93ae5fbc810c8d4cd9a3a0

  • SHA1

    fb585d9b5a2e8cc49cd27995e26426f661201a31

  • SHA256

    0a8e8012c6e4d632b06494dc039465a057cdd756f897e5b093215e0b6031af5e

  • SHA512

    47da6bb1c7a4d3debf07b2c01f641dd1c56c0f43ffb68c0aceaa5d8c746bdf3d155e6df33df4e7f76f5cdc8d044566e5bd0ebb64a74727bff6fd7434ab205304

  • SSDEEP

    1536:kRsjd3GR2Dxy387Lnouy8VT8Rsjd3GR2Dxy387Lnouy8VTY:kOgUXoutN8OgUXoutNY

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2916
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1836
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1304
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1456
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2692
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1460
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2936
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\services.exe

    Filesize

    91KB

    MD5

    3a50ce1fdd93ae5fbc810c8d4cd9a3a0

    SHA1

    fb585d9b5a2e8cc49cd27995e26426f661201a31

    SHA256

    0a8e8012c6e4d632b06494dc039465a057cdd756f897e5b093215e0b6031af5e

    SHA512

    47da6bb1c7a4d3debf07b2c01f641dd1c56c0f43ffb68c0aceaa5d8c746bdf3d155e6df33df4e7f76f5cdc8d044566e5bd0ebb64a74727bff6fd7434ab205304

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    62f14e3d36f386fc79409774697cc3de

    SHA1

    f6dc05839e06adbfe1bca9eb9a4128498b914f7d

    SHA256

    7e7b3b0a4305088def4dbdd64a6332d08992ee0e57dc114daf31671967bec329

    SHA512

    da7cdbf3b14a0ad1cab7d561f614048c06d6f76e589a72d2b5d947ba2c7e60ae631349cc22a8761e4efdc257305de4dbce27c733ccf4a9be33781d868f1c2002

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    a9ddaa5472d025d27cd06f4679616932

    SHA1

    77451fc5b808dd80d50e26f32bf249cf3b20e1fc

    SHA256

    a893b8814b7c3a4c177fa3904702360c8d37c1d93c579a22f759726613a81c60

    SHA512

    c24f3f49dabfa397fbd75b53ff7941e828c4f85d8733d9b607c9b6f6121c5e066bd4d6de22d5834cb9874c497b471b720063abc8bfdb1a1b282bd3518b65b731

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    24589ab8cb799bcc6b8c2e22e6b40cdd

    SHA1

    0d6f385b05b4de55f3bc2809773b2162884e73a6

    SHA256

    f0595ec8f0064f80f55c2018ddd9235ff55d8edc8e6c0856892e81ebd0a436da

    SHA512

    76d673ea62030241d0a7ab19b5052fa6bd8557fcc91fdbb229e7e1b99f4bd792d9312213f1e153784f483d47cd80491b3e9df45aa96d62f43976ffb9293cce27

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    cd5eb20bbfadd19f1f0c92875a03d046

    SHA1

    8714b7aca4bfc1e00bd805ee9bd3acb0db7a0771

    SHA256

    49c9bb436b90bba9f3546cacff84880750a9f7fd07e58b6c8f919e1bea3f909b

    SHA512

    c83ec21dc67ff39b443f164f82294689170e2bd3f0ceaf5c89e39eaa831e3c6fde9b2f16d006c674bc1c79cab460c21241a92226cfdc3f92ccfbb7310f5381ff

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    4f541498697e32f0d832f6d09ee8fcd2

    SHA1

    ae5407f048e931fa14a6682776c23839a95dc67b

    SHA256

    1e3a1f8efce01ecf904ab1a098912701584e3f1c0b8cdc650b8c896d39b064bd

    SHA512

    353a48dbbff29635fb51b43317eea1d0b5f9f2b06f8703646b8bdb69965cb3f15cabd901f3a02cfad945550949d6f07af6635da7e01f89b8c1941e7e538eb717

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    76ffdc51501cc923197b8b634c2f3885

    SHA1

    ce42b4155baef6a0338e63da8e0a1ee6e7f54687

    SHA256

    51d3728676bbec02c180bc7f0b59244e502e5c3861a19dc1acc4fce44bb48bb8

    SHA512

    2d706f0f6ea514f09a9341b62a39372f5159a98b263f128181c2a01a6785f407541701ca5db62ceee8851846390aa6b17ad5b8965ca336579eb383e82532b234

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    462eceba04d5abe3e3eb3cbed64a44b7

    SHA1

    3f1121794d31f5d9d5973fffd979cfb61255c18a

    SHA256

    6a0d4688f97e484c16ae2ee0a6897060f2b1b526901f770b4613d9049960d562

    SHA512

    5d3f8735588129eace5825a8847ce9603acb55b40dbf16f4270ff14e173589a0d13c954f5e0d96040ba6bf5dbb23c72aef6ca969618c73ef02aa3cd7e9d48bc9

  • memory/1304-123-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1456-136-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1460-154-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1460-158-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1708-182-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1836-114-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2692-146-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2916-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2916-132-0x00000000004C0000-0x00000000004EF000-memory.dmp

    Filesize

    188KB

  • memory/2916-162-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2916-166-0x00000000004C0000-0x00000000004EF000-memory.dmp

    Filesize

    188KB

  • memory/2916-131-0x00000000004C0000-0x00000000004EF000-memory.dmp

    Filesize

    188KB

  • memory/2916-179-0x00000000004C0000-0x00000000004EF000-memory.dmp

    Filesize

    188KB

  • memory/2916-105-0x00000000004C0000-0x00000000004EF000-memory.dmp

    Filesize

    188KB

  • memory/2916-184-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2936-168-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2936-171-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB