Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
03/06/2024, 17:46
General
-
Target
35a6b34cd556426a4027523f49a2bae0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
35a6b34cd556426a4027523f49a2bae0
-
SHA1
89d19052169778f9a7efb1784ef7a3678e996c81
-
SHA256
ba9eec35d4cc7a953538e0d38c9439b5838692e4217f24ee6d74ee0c2ba6bf3f
-
SHA512
9907b51340f308b9fda4332ea1babd405d935425eec7a41a1d427df62f54f944b8741041fc32a5ae81efc22d548046901003f62d17e667e3302724faaae2d376
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuL:7WNqkOJWmo1HpM0MkTUmuL
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\35a6b34cd556426a4027523f49a2bae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\35a6b34cd556426a4027523f49a2bae0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 17:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 17:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 17:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD51c0a35485c3533ddbee23dbb55f84e3a
SHA1da8a7f710c9f3e9712ce0acedda66c913dd7f840
SHA25698f2b7f8a3abe347edc0e88be7bd115f97d622c1ef5da3427ecdf09764026502
SHA51211a5c983c63d0d68e0ef830fb555af275e9d7071ad8bc269ee60cc781d1707a06139d934a7b8ff991ad04387431b9e2da3895d85452917af993b37b3a50df947
-
Filesize
65KB
MD5cfef465d63a085b2670a38b5df97d16e
SHA1d718e1da69e8307b4a34d8a9af045b43effbd72c
SHA2564e220c1884cec3d33c59eed0dbf129028b6c4f69c0c8464aad3365ae16e93e82
SHA51237e324b002f7258fb29e0bbe0538d087606a90c2b2a369f7bb8e00bfbd6196bd1e723298d94655074846c7d5f4d16ecd1eb2670983a92a03c64606b2c0a7e9ae
-
Filesize
65KB
MD5854daf1ede0bdb5773917c5a256d2d38
SHA17d4788d0829fe6553d0782f324f68ed25f56391b
SHA256586cba663255308f77e125ee6b1261d3f268847a3202872bb0cdc5fa4e167dc1
SHA512a7c6f4ab535028a0bd52e548444b9efd2f477e72e8fd752cd1d708acf8a9eed25d68119fede26be52b3e864c770c6dc20c08f76b1dcec970578d829e9e45ea3c
-
Filesize
65KB
MD5cfffdf2e85935a6aabf437b49c2ac4c1
SHA1d59abda3fba78afbc2665b7c6dc8552ab5dd9767
SHA256e452671a937e687f025e0a91835c2e6f4b8c36398e136237fb762b004de2009b
SHA512d9ddf9448cb3eb9b3785b4efc2953059fbbf822e188ebf06253bf726a3953237ad834526b58b0798915dac719b809bfc2ed366ce11cc0462415dadaad986907a
-
Filesize
1.3MB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB