Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 05:16

General

  • Target

    9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe

  • Size

    362KB

  • MD5

    9cbc65a627d76a1b569a87dac366fbc0

  • SHA1

    566e46ec048751ac74e3d149393884a5b278269b

  • SHA256

    a9571263f1e9762aa338e9c1b272afd3d02aa41fe57990042a9b2b953d3aed6a

  • SHA512

    e186800d136accf8c0cdb4226cf6489f4178021bc1c08bd1cc4546ea8ea150b9a3d6f5a67ebe230919e2c5eb469f44d40ac753958a5860f29b4e35b577b6fa8a

  • SSDEEP

    3072:VBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikE8gdkSLF2:VK5ArKjbAxXSaegUqGeGpBohMERx

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 9 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Roaming\compocom\autoWWIN.exe
        "C:\Users\Admin\AppData\Roaming\compocom\autoWWIN.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Users\Admin\AppData\Local\Temp\~2EED.tmp
          "C:\Users\Admin\AppData\Local\Temp\~2EED.tmp"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2696
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        3⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2796
  • C:\Windows\SysWOW64\rasaKEYs.exe
    C:\Windows\SysWOW64\rasaKEYs.exe -k
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~2F79.tmp.xls

    Filesize

    71KB

    MD5

    6186c22cc888081ecf6f584e5d4f6aa7

    SHA1

    d6d75f24ed318dd6d00cc780b2926d49d4abf48c

    SHA256

    db1590fa28b91a615d939fa430cd59d60cfc12d7da9b2fee8acbb7e7d72ffc3c

    SHA512

    17d295231474ca7f43ee1e2b14c821f7107170a03169750114ae534d996394d0d4ba268b4438d38dadda7d169e54b55a9f6f363e7923049d97f524b4c43e97e2

  • C:\Windows\SysWOW64\rasaKEYs.exe

    Filesize

    362KB

    MD5

    9cbc65a627d76a1b569a87dac366fbc0

    SHA1

    566e46ec048751ac74e3d149393884a5b278269b

    SHA256

    a9571263f1e9762aa338e9c1b272afd3d02aa41fe57990042a9b2b953d3aed6a

    SHA512

    e186800d136accf8c0cdb4226cf6489f4178021bc1c08bd1cc4546ea8ea150b9a3d6f5a67ebe230919e2c5eb469f44d40ac753958a5860f29b4e35b577b6fa8a

  • \Users\Admin\AppData\Local\Temp\~2EED.tmp

    Filesize

    6KB

    MD5

    a75b85807d7bbca99ac329c731588a13

    SHA1

    cef931274c69e40c71b9bea41cfc61c0528400c5

    SHA256

    436f76ee66b202e6dd933808ce7d003766da8440523e3dd8d16dba8d4b4e031f

    SHA512

    4bc842dafecc41bd250c7e4dfbed3fab0d117d7e508f3567424ab9ba0bcd4dff55a21d187722f7c970691e07563b92c183064bec68117d21b34c0fe92ca90255

  • \Users\Admin\AppData\Roaming\compocom\autoWWIN.exe

    Filesize

    172KB

    MD5

    b6217e29e8570dc9d26715db5420c77f

    SHA1

    c1a579bfe8a09ca79819a306259360d2f323fe73

    SHA256

    ba2c39b8535169803c5b5614034573a6ea32ee7db14df89a82a10c47c26554f5

    SHA512

    ec21956393f040baf4d48ee0c07e2506b21fde2885a05f06e85304fae9e40f9899b1bca1004ccaa9d8f43b6fd8fd7e31518f6a6c29fd868f88d60253172e762a

  • memory/1200-17-0x0000000002100000-0x0000000002141000-memory.dmp

    Filesize

    260KB

  • memory/1200-21-0x0000000002100000-0x0000000002141000-memory.dmp

    Filesize

    260KB

  • memory/1200-16-0x0000000002100000-0x0000000002141000-memory.dmp

    Filesize

    260KB

  • memory/1724-0-0x00000000001F0000-0x000000000025D000-memory.dmp

    Filesize

    436KB

  • memory/1804-27-0x0000000000200000-0x000000000026D000-memory.dmp

    Filesize

    436KB

  • memory/1804-28-0x0000000000200000-0x000000000026D000-memory.dmp

    Filesize

    436KB

  • memory/1804-29-0x0000000000200000-0x000000000026D000-memory.dmp

    Filesize

    436KB

  • memory/2228-12-0x0000000000070000-0x00000000000AE000-memory.dmp

    Filesize

    248KB

  • memory/2796-32-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2796-33-0x0000000072ABD000-0x0000000072AC8000-memory.dmp

    Filesize

    44KB

  • memory/2796-35-0x0000000072ABD000-0x0000000072AC8000-memory.dmp

    Filesize

    44KB

  • memory/2796-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2796-37-0x0000000072ABD000-0x0000000072AC8000-memory.dmp

    Filesize

    44KB