Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e9c77ff857...cs.dll

windows7-x64

7

e9c77ff857...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9c77ff857afd14fe12e4ba6067a3b60_NeikiAnalytics.dll

  • Size

    540KB

  • MD5

    e9c77ff857afd14fe12e4ba6067a3b60

  • SHA1

    6ab740ea7f433a7bbbcf9bf2210c0c6178696540

  • SHA256

    7727cfd67763fc7715091d501c592054d94e4714b02338d394b4aadc63ad538d

  • SHA512

    21a1a685103b861996b0c1f1b8c98ab8b64c8136286d2357338bdb504baaa6c12a4534077d4f1eb9a731446a66eece54a9b5aca82b1763bad30933e66ce38ce6

  • SSDEEP

    6144:Bi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:ErHGPv5SmptZDmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9c77ff857afd14fe12e4ba6067a3b60_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2716
  • C:\Windows\system32\cleanmgr.exe
    C:\Windows\system32\cleanmgr.exe
    1⤵
      PID:2808
    • C:\Windows\system32\irftp.exe
      C:\Windows\system32\irftp.exe
      1⤵
        PID:2828
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\FDd.cmd
        1⤵
          PID:2632
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{33819f3b-2f8d-cfcb-0a23-a942879f9636}"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{33819f3b-2f8d-cfcb-0a23-a942879f9636}"
            2⤵
              PID:2116
          • C:\Windows\system32\msinfo32.exe
            C:\Windows\system32\msinfo32.exe
            1⤵
              PID:1644
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bNZvHy.cmd
              1⤵
              • Drops file in System32 directory
              PID:2584
            • C:\Windows\System32\eventvwr.exe
              "C:\Windows\System32\eventvwr.exe"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2844
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\YBnY7Uo.cmd
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1720
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Create /F /TN "Vmvmshnity" /SC minute /MO 60 /TR "C:\Windows\system32\2313\msinfo32.exe" /RL highest
                  3⤵
                  • Creates scheduled task(s)
                  PID:1648

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\93717.tmp
              Filesize

              568KB

              MD5

              4d5bc9c77021cfa0ce52be8310d5a46a

              SHA1

              4a0cf1695df519b6f433e34d2ce494970dc6ac92

              SHA256

              26f417e4fda01e1da812ff2146e20194eed4382edd3be215124b00020471211a

              SHA512

              0df6c2b14519b1d80a6c4d61231d59ddf1941196f21cf7938322b2e4c38bfdc58d202791883feb88b6ece9710cd8ab611d301e8ae9f101753b7e1567e6ca8f3a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\FDd.cmd
              Filesize

              225B

              MD5

              8bfac86f5f28d57d6812167b847ec6f5

              SHA1

              b17c150aaf2d25820dc52485add7b0ddcf727490

              SHA256

              97b4ada649d8011093b6c7004a64c1c361b6f90a79071445656126077ce862af

              SHA512

              8772276a04717fe20b5f2f18a2169d145999e86d025bf40bd7b6cc0f9482dca26b0bbdbba678bc9233cf1f74ff761b1de674893a562ff9465596473f22898b2c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\S49AE.tmp
              Filesize

              568KB

              MD5

              3ba34b20ed8b2006dd20c078788cc105

              SHA1

              5769fbf966651d05c5b0f64e9e873885f51cbb93

              SHA256

              264f08fc385bc210505d0142bbbc6dbf8de6884741d5506a64ef5eeafa41d09f

              SHA512

              e71bbf5f3ac2cdf9971aaa49ea7a02e25fcd71ff41a2e0ba1d9dba826649f161f98676b3247b248d215ffa70042c37c4645793893d53405efbb39fd3da0b4a43

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\YBnY7Uo.cmd
              Filesize

              129B

              MD5

              ada5996d0589481682a46ca7bde5bad5

              SHA1

              4de98e762713a3001cbe41662b5c7bfce8846da9

              SHA256

              3a41f11d76b2d4554019fb894fa87e69707bf13fdd647129eeaa49b2f6e8bb03

              SHA512

              ace91f571c071c9b57c495faa1756b159c0f4ef3e4abb3f11858dd74974685d6b9ce860e5b026daecc48d03cf803e474db1982ecede9df0372cc4f513c37ef22

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bNZvHy.cmd
              Filesize

              192B

              MD5

              cb8f235b4d0c38e8896b1aa47a7b4666

              SHA1

              9ba1e163c003af86e7b2d8e44eedab9305340c17

              SHA256

              cfbe30f897687079535b546245569bc84d29674dd9a84c17cb2796bc9c49eb0f

              SHA512

              e227433d1b1f04e12e484146c648b9ac39f421f1cf45aff85feb0c1f086a7b442997f3c992450f607f38cec112e2fe3f265475f7aca94516ae3ff67ae2fa3823

              Download Submit

            • C:\Users\Admin\AppData\Roaming\9grds\irftp.exe
              Filesize

              192KB

              MD5

              0cae1fb725c56d260bfd6feba7ae9a75

              SHA1

              102ac676a1de3ec3d56401f8efd518c31c8b0b80

              SHA256

              312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

              SHA512

              db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

              Download Submit

            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tonqjizj.lnk
              Filesize

              864B

              MD5

              99c2437bf174ccfb70dc8b6379575587

              SHA1

              a348af40bdb0f00aaadafd573175a9e1ac88000f

              SHA256

              1960c8460dcb721857167da25931ad8171be0d9a6706e03d8db6598e12186185

              SHA512

              9de952df5d7aff4b301d8a10a2d5d52cde293320b98b1b499c7fa569fad963df9c55308b63ab9aae4fd3cb91a69e358408a04cc825cc86b4cef2c8db1e7be963

              Download Submit

            • memory/1188-25-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-23-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-11-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-12-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-13-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-15-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-16-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-14-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-17-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-18-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-19-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-82-0x0000000077876000-0x0000000077877000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1188-33-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-32-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

              Filesize

              28KB

              Download

            • memory/1188-24-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-10-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-22-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-21-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-20-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-34-0x0000000077A81000-0x0000000077A82000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1188-43-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-47-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1188-49-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-50-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-9-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-8-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-7-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/1188-3-0x0000000077876000-0x0000000077877000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1188-4-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2716-6-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/2716-1-0x0000000140000000-0x0000000140087000-memory.dmp

              Filesize

              540KB

              Download

            • memory/2716-0-0x0000000000170000-0x0000000000177000-memory.dmp

              Filesize

              28KB

              Download