Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

0bd89d5bb4...cs.exe

windows7-x64

8

0bd89d5bb4...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe

  • Size

    80KB

  • MD5

    0bd89d5bb47e6638e0c3560a06bdbc10

  • SHA1

    d34ceb7145722e2bee9471970cc3023467b8a679

  • SHA256

    5dd3b3f9bc7fe3ba2fbf8f3cb9bbebd2804eb2af4979c028a4ecc30060db9ddb

  • SHA512

    1c69ae73e6bb4016430d0187a09460a40bcdb9b798bf6c2c6c389848432deaed38d4867b651417f94a41bf4ee9bc2efd39fa58f2b230233000f0e34a400e5711

  • SSDEEP

    384:vbLwOs8AHsc4sMfwhKQLroH4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLroH4/wQRNrfrunMxVFAi

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\{4A218866-07DE-4e95-8B62-0046884D9A5B}.exe
      C:\Windows\{4A218866-07DE-4e95-8B62-0046884D9A5B}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\{69CA6B25-5C31-46e3-B5B9-CA15BA7015EB}.exe
        C:\Windows\{69CA6B25-5C31-46e3-B5B9-CA15BA7015EB}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Windows\{31397972-2DDD-49e2-A629-D7C4F8DBC466}.exe
          C:\Windows\{31397972-2DDD-49e2-A629-D7C4F8DBC466}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3248
          • C:\Windows\{CC81391F-71E5-47f0-9C37-0ADE5A2C789A}.exe
            C:\Windows\{CC81391F-71E5-47f0-9C37-0ADE5A2C789A}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\{D6FAF644-B858-426a-ABAE-1D0E9DC4B30C}.exe
              C:\Windows\{D6FAF644-B858-426a-ABAE-1D0E9DC4B30C}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3016
              • C:\Windows\{3FE6E911-8CAF-4c32-AAD3-EB2328E0B98A}.exe
                C:\Windows\{3FE6E911-8CAF-4c32-AAD3-EB2328E0B98A}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4016
                • C:\Windows\{0AEC674E-A9A0-4bca-A7B4-47D9662BE93C}.exe
                  C:\Windows\{0AEC674E-A9A0-4bca-A7B4-47D9662BE93C}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1416
                  • C:\Windows\{93F44667-9F9D-4b3a-9F08-0C01DDB29D02}.exe
                    C:\Windows\{93F44667-9F9D-4b3a-9F08-0C01DDB29D02}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1612
                    • C:\Windows\{9E714F58-DD98-4739-AFBA-7A4666C88E40}.exe
                      C:\Windows\{9E714F58-DD98-4739-AFBA-7A4666C88E40}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2264
                      • C:\Windows\{651E850C-DE90-4de1-BED1-202FED6CAE27}.exe
                        C:\Windows\{651E850C-DE90-4de1-BED1-202FED6CAE27}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:892
                        • C:\Windows\{EE197D20-9784-4d28-9768-0396C25D6A1B}.exe
                          C:\Windows\{EE197D20-9784-4d28-9768-0396C25D6A1B}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:4480
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{651E8~1.EXE > nul
                          12⤵
                            PID:3180
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9E714~1.EXE > nul
                          11⤵
                            PID:3916
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{93F44~1.EXE > nul
                          10⤵
                            PID:404
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{0AEC6~1.EXE > nul
                          9⤵
                            PID:2692
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3FE6E~1.EXE > nul
                          8⤵
                            PID:3432
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D6FAF~1.EXE > nul
                          7⤵
                            PID:3652
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CC813~1.EXE > nul
                          6⤵
                            PID:2284
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{31397~1.EXE > nul
                          5⤵
                            PID:3628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{69CA6~1.EXE > nul
                          4⤵
                            PID:3284
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{4A218~1.EXE > nul
                          3⤵
                            PID:1104
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0BD89D~1.EXE > nul
                          2⤵
                            PID:2644
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3280 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
                          1⤵
                            PID:3088

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{0AEC674E-A9A0-4bca-A7B4-47D9662BE93C}.exe
                            Filesize

                            80KB

                            MD5

                            98c85edd817872e3c61cceca800439ee

                            SHA1

                            ba2817d2d3c08baca196c301e7697d56607d5ed4

                            SHA256

                            906120713c1d7f484b85768701431320a8a98bce1ba6023a40da1a418efb1672

                            SHA512

                            e9b27feced929f0fff8873248383b0bcce801053eeb30134f6be0d7cf62aad71d74ebdacd4643ec39452038be5f59465f384a085cddd8bba59d5c54c9f95a23d

                            Download Submit

                          • C:\Windows\{31397972-2DDD-49e2-A629-D7C4F8DBC466}.exe
                            Filesize

                            80KB

                            MD5

                            133b78ddc9a707a8ace909830976e175

                            SHA1

                            75b82cbd3013725aaf108cadb9dcb7d53102d546

                            SHA256

                            ea267239a9d6aba1f925b04aeb27ef58c3ec08fc1a519f73add8a2e02d6d067d

                            SHA512

                            cbd4183149f8ce2f088ed19b4e6c9c8e50c6d1193e0a10221ac9cc1ae4fafd2083e1a043a8e0f65596562ce053f98072b6475815c986a6c3758d9b3fa05ada59

                            Download Submit

                          • C:\Windows\{3FE6E911-8CAF-4c32-AAD3-EB2328E0B98A}.exe
                            Filesize

                            80KB

                            MD5

                            594dcaf8a765ece488e82071b2b9a7da

                            SHA1

                            5cbe6ba07a7493a5c0ceef74327c73db1d87a26b

                            SHA256

                            8225d73ccc6d749aebf76521954ca10d72abd201544bc3d8659a99ebc3eecf18

                            SHA512

                            304dbf673ac2e651a587fdf9bfbc47dca613fe53baed0a46649b2d1dc30f68f12c5ab89e1982d73de0a61f0f3f84f0aef3f4a3105a0f4a3d9aaee41676404dbb

                            Download Submit

                          • C:\Windows\{4A218866-07DE-4e95-8B62-0046884D9A5B}.exe
                            Filesize

                            80KB

                            MD5

                            d4db54d19248678b0d88dc65b4a811b1

                            SHA1

                            9c9e738bdb20bfe5001a14f9347b0ba0b79f0aba

                            SHA256

                            6693be6515ab89ac4754153cfc01e6dbb6296f545ef65e426ad462adb5c0f5b4

                            SHA512

                            ad1d7851f9c5cf6cd67e6bf0500780bde6786a9d45ec19a14bb853eb1925d9720819b078a185a174efbb78112a44fda613ab4ed13023baec4d33ee6f4310b253

                            Download Submit

                          • C:\Windows\{651E850C-DE90-4de1-BED1-202FED6CAE27}.exe
                            Filesize

                            80KB

                            MD5

                            c91eb494ecd11c45830e334705d45392

                            SHA1

                            ecefbf2f66bddac2efdd7596e522fd8aff959703

                            SHA256

                            6fbbe2bc70692590a2cac95123e2f1cd003f5282bf504c2e2521e83c169608a4

                            SHA512

                            dc76b509d9d047da066e286a60bf0c89717ecce0e060a261af5736e01471848b809c8368d16e8e96fa6780eb5c3dd974b5feae93dc94663f480093787f805954

                            Download Submit

                          • C:\Windows\{69CA6B25-5C31-46e3-B5B9-CA15BA7015EB}.exe
                            Filesize

                            80KB

                            MD5

                            6f18f0551971e0b6a13781d60b37ff50

                            SHA1

                            58166d63c13a6bae87ef2f428662b0b03189390b

                            SHA256

                            153c55e204a1e4858d354c04119027076ad3b25dad7115b4af6058ea6a291623

                            SHA512

                            d66420239174396b184e0f40d27c925754372f30c4dda01a7bd7d64d29fbf6eb44278f1f3694273f75086c849075dcc9a6262386143819b3d4666d947d682f56

                            Download Submit

                          • C:\Windows\{93F44667-9F9D-4b3a-9F08-0C01DDB29D02}.exe
                            Filesize

                            80KB

                            MD5

                            a3ff436888f29d09c797c7378fccf0a2

                            SHA1

                            4553e5e2589919f24bf2435469a03cd67e2c94b7

                            SHA256

                            0e4a2365147a16df21c39de0817d4c319b123ccd75c443f73ae057e34d676150

                            SHA512

                            154d01f388794f44ad4f653f998a5bb316b43950e775aabb83c319ba092e03f9ac3e225efc89d80d95c10cfdae6d0ee53944929e7ac9c430342d9f13220ac70e

                            Download Submit

                          • C:\Windows\{9E714F58-DD98-4739-AFBA-7A4666C88E40}.exe
                            Filesize

                            80KB

                            MD5

                            897ff6288764aa2a7c2513e1c34269e0

                            SHA1

                            e4797472397a128f72a396746cf653ecb2d54760

                            SHA256

                            e4a9dd3f4d62d0c56e764c912d8f2e11a3c923f43ae89eef91c45102c010d415

                            SHA512

                            c6e1d5679559f844b79dec585af76d67cba45a614bec6602933b502554c0a82aed82571cee98d08e85bd34e622278d056577c36a3e3355a5bc1455fb483d5ebc

                            Download Submit

                          • C:\Windows\{CC81391F-71E5-47f0-9C37-0ADE5A2C789A}.exe
                            Filesize

                            80KB

                            MD5

                            a0eb0c9af17b37f532e7870d11a14e94

                            SHA1

                            0b3c4a48e0347f8d4a2f323bf38d50ec0a431dbf

                            SHA256

                            9f49e68b8465d08709abd7880b00127761435cbff674149d24c57e832523764a

                            SHA512

                            a9eaf4bd71b8a18d62cff032b53594b4c4b4949d2111c561f1706397a3d40c2ef631ada0c62b83177fc8e408efb9afb1681a77b7dfcd846a99ba795b8166b78c

                            Download Submit

                          • C:\Windows\{D6FAF644-B858-426a-ABAE-1D0E9DC4B30C}.exe
                            Filesize

                            80KB

                            MD5

                            f3e98eb3368828ca330e823f5e4a2a07

                            SHA1

                            a2cdd2b0c86e7eb05edcfe08234199bf42e21b66

                            SHA256

                            08b0e17fcf19c4c7848b662117acdb2634af8fbf2aba4bbdb1eb801374de6875

                            SHA512

                            5149e8be226344e32b234d8b4158cfda347ddcd026e65d707c8cc1443dfdf3b7e27def2f556e53ac7b8dc378ddd07f2c600a3c235bf3c30bff95636e81b2478f

                            Download Submit

                          • C:\Windows\{EE197D20-9784-4d28-9768-0396C25D6A1B}.exe
                            Filesize

                            80KB

                            MD5

                            0ebe9baf44591412504aaf1a1417360b

                            SHA1

                            4061aad2f8b108bb854a94f1ccf87ca4542a0b3a

                            SHA256

                            bdb949442d250f4ed65d77932574ebef3fb08c3df7c01380c05e3dd0315427b2

                            SHA512

                            10f1b57f0afad897dc1194be26bafe84d31023dd895cb10832a0c8ce497884f6602ae7e63eaf57ce3b0cc7e3d60726a315daea26cfede23a97d19e07c8fe9c11

                            Download Submit