Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
-
Size
135KB
-
MD5
1f43d00309888b12dedfb42689412f70
-
SHA1
5aa4505dc51811d042ac9f9f11fd08443e1e2fba
-
SHA256
0662e158c48644abcdaa4be054335bd4a67d08821db5c4188371a2ba078515f2
-
SHA512
15c13d3bd25772452fbfafb331a5a1c04d2c6c72f5ec58208807e18521d9573e9bf2c4c1bbaeec96df24229f394110ad5e3ddfa4167d9e855cac44a974edc73e
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVVKR:UVqoCl/YgjxEufVU0TbTyDDalLKR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2868 explorer.exe 2476 spoolsv.exe 2988 svchost.exe 2668 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2868 explorer.exe 2476 spoolsv.exe 2988 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2512 schtasks.exe 860 schtasks.exe 1984 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2988 svchost.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2988 svchost.exe 2988 svchost.exe 2868 explorer.exe 2988 svchost.exe 2868 explorer.exe 2988 svchost.exe 2868 explorer.exe 2988 svchost.exe 2868 explorer.exe 2988 svchost.exe 2868 explorer.exe 2988 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2868 explorer.exe 2988 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2868 explorer.exe 2868 explorer.exe 2476 spoolsv.exe 2476 spoolsv.exe 2988 svchost.exe 2988 svchost.exe 2668 spoolsv.exe 2668 spoolsv.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2868 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2868 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2868 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2868 2320 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 28 PID 2868 wrote to memory of 2476 2868 explorer.exe 29 PID 2868 wrote to memory of 2476 2868 explorer.exe 29 PID 2868 wrote to memory of 2476 2868 explorer.exe 29 PID 2868 wrote to memory of 2476 2868 explorer.exe 29 PID 2476 wrote to memory of 2988 2476 spoolsv.exe 30 PID 2476 wrote to memory of 2988 2476 spoolsv.exe 30 PID 2476 wrote to memory of 2988 2476 spoolsv.exe 30 PID 2476 wrote to memory of 2988 2476 spoolsv.exe 30 PID 2988 wrote to memory of 2668 2988 svchost.exe 31 PID 2988 wrote to memory of 2668 2988 svchost.exe 31 PID 2988 wrote to memory of 2668 2988 svchost.exe 31 PID 2988 wrote to memory of 2668 2988 svchost.exe 31 PID 2868 wrote to memory of 2528 2868 explorer.exe 32 PID 2868 wrote to memory of 2528 2868 explorer.exe 32 PID 2868 wrote to memory of 2528 2868 explorer.exe 32 PID 2868 wrote to memory of 2528 2868 explorer.exe 32 PID 2988 wrote to memory of 2512 2988 svchost.exe 33 PID 2988 wrote to memory of 2512 2988 svchost.exe 33 PID 2988 wrote to memory of 2512 2988 svchost.exe 33 PID 2988 wrote to memory of 2512 2988 svchost.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:56 /f5⤵
- Creates scheduled task(s)
PID:2512
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:57 /f5⤵
- Creates scheduled task(s)
PID:860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:58 /f5⤵
- Creates scheduled task(s)
PID:1984
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2528
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD50fe8e90dd535ecf414e29b86ccf714a9
SHA14e43114d52d52a9b846b9baeeaf1fbe4f2edd90e
SHA256f10a700798b19624e9dd4c337dc2785a4492426f4f578097529ffbdc749516ee
SHA512189550b54980374c16c5c8c9ec3b77f0b22f7f530ee382cfbb82771686406957ff9df33f9eb08a1657be310f707aec0099493671812583f3fc51086224add49c
-
Filesize
135KB
MD5207099c68250206187cb0a54d92675dd
SHA14bfb0a10a2f983c36ce1e20e9bf3db815f973ff7
SHA256e594b04d0e9a7953d83eef559cb4b3a373184f490bb049cb3b671341ac0cb831
SHA51245288d23b8c0d289db63299de4421ae6f229e3ac9eb68643a03d6c2b503bd909bb03bd2ade74cd0bd0b84e4c924e1239b5d10546b65df5b72c978b5c424a9269
-
Filesize
135KB
MD5ee5876294d8e0e871587333ad641adda
SHA1903439aa619de3e640859fb978485e5397b15bb4
SHA256ffcfaf3853e0d68ea577984f0802b7d77f861a45361c99043804f7ac79b11652
SHA51206acacb53e5b856376066d558e451d6e63cdde9e4d6685114b7dc5a5ea2935e65e0514cf3f4dde4de2e68c1d008b1f797005dd775ebda5af8d56810edda3b6f1