Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 05:06

General

  • Target

    9c830d51d65dd354bf08339d7c5e30f0_NeikiAnalytics.exe

  • Size

    213KB

  • MD5

    9c830d51d65dd354bf08339d7c5e30f0

  • SHA1

    e54e6e076f415d97e80240067d5aeb091861fe86

  • SHA256

    c858155a0f5b576b927ff5888932d66b22b1b1c794c65b6f178ed9e46231b26a

  • SHA512

    119e4eb0fec31450c8585dba772dadb6b9c0afd53fe46dac8a85693951fb752f1dd69b36e2f70046a936aef4dae553fddc55eb6f63483fa3d2acbd8517d56938

  • SSDEEP

    6144:/7++Jbojf5Vq5OC4qZhZcKYhc/ZfUozY:K+cff22qZhZcKYhc/

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c830d51d65dd354bf08339d7c5e30f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9c830d51d65dd354bf08339d7c5e30f0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Windows Defender\gahyqah.com

    Filesize

    23KB

    MD5

    87ab8c7a948c467a3f9fbf740a7b0974

    SHA1

    b89fd27a2de6e8b7205665b85f31158ec59beb99

    SHA256

    e477d89b787b865aca9dd1d0cb738e198d07796134429b2c51689962cb39eab2

    SHA512

    b09beede4fd570615ca0cd11abd51bd790740d687f99ff37e5ca9704021710051950af694918007c4f9d12be3f9bfba43d90084cacbde651ea9d3da7b1a2bde7

  • C:\Program Files (x86)\Windows Defender\galyqaz.com

    Filesize

    102KB

    MD5

    dbebcdf5d965ce9926c161befb5b16b2

    SHA1

    a9a0dedabdaa5a3466f67a276c0cd706309ccc57

    SHA256

    f5c5e565183e0e0be94020faadfe94c03576c30301cf884f1790a033fe7ecbdd

    SHA512

    47cd0dea6300c73d6f03da5df9c0113fbbfe52746d4c8b6af67e0760f04e6666c5cf654c81f34786a74c8557f2b7784406e26b1a5422b79cdbbb3f23d1670696

  • C:\Program Files (x86)\Windows Defender\pupydeq.com

    Filesize

    114B

    MD5

    bfde1e9e9c32c1681a16139450c6909d

    SHA1

    7e669b927e6a75a10a0ca29e38e58ddcb49b725e

    SHA256

    e0d020ba1cb6506cee234903a44c747ee0cfa7e2d1e60029e4cd8de9a431512a

    SHA512

    781fd54f155442dd34f9919b3cd063ee399db411bbfe15f2bdc43d3ab8ac2d04e1011b2c99fab42bebf7b903a94e09aaaef71b7a465d2d04b417f6dad8e8e396

  • C:\Program Files (x86)\Windows Defender\qegyval.com

    Filesize

    457B

    MD5

    531ec87a0b2f9477a52d88b111d0d46a

    SHA1

    50a72e5752075309f91c062e0282a7e7cd1e751e

    SHA256

    4875b451859b1eb8d0d3b040b1bb8d654d212edb6d9c721cf0f4372129579385

    SHA512

    07994963fd76b31ef0ba2c7f418dcb3ee0290f6baca2d8ec63a6e6b861557b13fbc20d2f0a10a66f35c4d72d4d2c1920ac88b96174604f2f8856868912327da1

  • C:\Program Files (x86)\Windows Defender\qetyhyg.com

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    052406e99c1a9c47224d385948f6f577

    SHA1

    13a33902090ca00a570fed4c778f76f38b93d5f5

    SHA256

    5df06ae85af3bf53cc9c24ef2fe6d52ee2da078d537ff055c81ba66b014e486b

    SHA512

    502cfd71de5b465962addae68faed685e93aa2fee344e8d5df9c5d29b85401c6cfc5c416036f9b811e232241aa630930ba3eda33663d33b43c439d4e658a6501

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fa950cb324d2bcde5fd455e736a391d9

    SHA1

    1a0675c28577b5cad821d0c56e96ced04a6bf806

    SHA256

    991f02b13a339caf949f7e7e7f2df511ad45aa7cf930ba8fb5d94ed0e4c3c85f

    SHA512

    1e6fb12e1d42bcc34940e5d851cebe11e5c467a07e21feb5462ef0b093a91c152bbc3045bfd997130b8fa430ade7461c8713d774b19baa4d7c1479779c6ba4da

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    c6211e7a2dcc59dd28326aaa0e17c4d0

    SHA1

    857364550cef6b5f933498957f213316eb868b93

    SHA256

    b4c4d9117be534b285cfeb4babb74c2b97fa970e3d1eb520384e4788c6b2671a

    SHA512

    2a04b6fa15b05b66375366038842ff3d6c37165bd30a3fe22c56d366e10a6cc7d1ef94acbe71390f025fdcd860e92f806fd7e27e6874eb56f6103d9a85d178be

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\login[2].htm

    Filesize

    168B

    MD5

    d57e3a550060f85d44a175139ea23021

    SHA1

    2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

    SHA256

    43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

    SHA512

    0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

  • C:\Users\Admin\AppData\Local\Temp\Cab1805.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar18C3.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Users\Admin\AppData\Local\Temp\Tar1994.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\AppPatch\svchost.exe

    Filesize

    213KB

    MD5

    fd1c38cd13540bd277d7b3b736d8eb0c

    SHA1

    f91d8079dc36b9f5a6cc2a6e5a4901c32c8371ff

    SHA256

    e2529838291c31ffc58763ee8b4bda8b2c2a6671a114045998f9f62ee455b958

    SHA512

    bfd383bef993f7b2787c594ff32ca5daeb705ca143f688c13533ed49890337404ee85e5c637c4bf00f91fc14b57616bed870ab8d7cbbe3d92fc478ba94e4163e

  • memory/2156-0-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/2156-19-0x00000000004A0000-0x0000000000534000-memory.dmp

    Filesize

    592KB

  • memory/2156-20-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/2156-21-0x0000000000220000-0x000000000026F000-memory.dmp

    Filesize

    316KB

  • memory/2156-22-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2156-3-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/2156-2-0x0000000000220000-0x000000000026F000-memory.dmp

    Filesize

    316KB

  • memory/2156-1-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/3012-68-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-88-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-51-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-81-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-87-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-86-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-85-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-83-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-82-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-79-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-78-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-76-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-75-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-74-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-73-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-71-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-70-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-42-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-67-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-65-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-63-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-62-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-61-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-59-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-58-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-56-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-55-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-53-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-50-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-52-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-84-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-80-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-77-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-72-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-69-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-66-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-64-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-60-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-45-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-57-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-54-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-49-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-48-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-47-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-38-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-40-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-37-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/3012-26-0x0000000001E00000-0x0000000001EA4000-memory.dmp

    Filesize

    656KB

  • memory/3012-30-0x0000000001E00000-0x0000000001EA4000-memory.dmp

    Filesize

    656KB

  • memory/3012-35-0x0000000001E00000-0x0000000001EA4000-memory.dmp

    Filesize

    656KB

  • memory/3012-36-0x0000000001E00000-0x0000000001EA4000-memory.dmp

    Filesize

    656KB

  • memory/3012-32-0x0000000001E00000-0x0000000001EA4000-memory.dmp

    Filesize

    656KB

  • memory/3012-28-0x0000000001E00000-0x0000000001EA4000-memory.dmp

    Filesize

    656KB

  • memory/3012-25-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/3012-23-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/3012-24-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/3012-46-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB

  • memory/3012-44-0x00000000024C0000-0x0000000002572000-memory.dmp

    Filesize

    712KB