Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
-
Size
135KB
-
MD5
1f43d00309888b12dedfb42689412f70
-
SHA1
5aa4505dc51811d042ac9f9f11fd08443e1e2fba
-
SHA256
0662e158c48644abcdaa4be054335bd4a67d08821db5c4188371a2ba078515f2
-
SHA512
15c13d3bd25772452fbfafb331a5a1c04d2c6c72f5ec58208807e18521d9573e9bf2c4c1bbaeec96df24229f394110ad5e3ddfa4167d9e855cac44a974edc73e
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVVKR:UVqoCl/YgjxEufVU0TbTyDDalLKR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2148 explorer.exe 2880 spoolsv.exe 1572 svchost.exe 3712 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2148 explorer.exe 1572 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 2148 explorer.exe 2148 explorer.exe 2880 spoolsv.exe 2880 spoolsv.exe 1572 svchost.exe 1572 svchost.exe 3712 spoolsv.exe 3712 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4656 wrote to memory of 2148 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 91 PID 4656 wrote to memory of 2148 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 91 PID 4656 wrote to memory of 2148 4656 1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe 91 PID 2148 wrote to memory of 2880 2148 explorer.exe 92 PID 2148 wrote to memory of 2880 2148 explorer.exe 92 PID 2148 wrote to memory of 2880 2148 explorer.exe 92 PID 2880 wrote to memory of 1572 2880 spoolsv.exe 93 PID 2880 wrote to memory of 1572 2880 spoolsv.exe 93 PID 2880 wrote to memory of 1572 2880 spoolsv.exe 93 PID 1572 wrote to memory of 3712 1572 svchost.exe 94 PID 1572 wrote to memory of 3712 1572 svchost.exe 94 PID 1572 wrote to memory of 3712 1572 svchost.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3712
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4388 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:3400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5bd2e5626ba3f2989d012758fabf968a1
SHA1071672e429a04b92b60dcfb2c6c1b976b4fcf11e
SHA256f721ffe08684c5bcb106b8e8e8c89bbad5388c0518a4dacedcaecd260740bdab
SHA5121072036bd9e266f85a83e8aae3f4a2a07a552e1ec7b79e4ce4c3cfd5fffd064fc520c00ab81942a8a8b4854f57faf4b7a52794ac880f40fde3a6e6f71368a6e4
-
Filesize
135KB
MD557e047431e7ca7c567e54db864c62447
SHA1d558244d755df0244364b55d8963272d50475e50
SHA256958fe7ca6c93f8f850586e896a1c20e45afc8e5094fead7b8afbfab36cd11c48
SHA51277b92e7a2f2cd36e9d9c5e44f41fca2addff68ccaad235bd5be56e90f96f81b9c219828945e29d79931c24e2703ed38c1fdba5ea9cc8fdd0bf182a56e2a00d02
-
Filesize
135KB
MD5eb3d6508adbb1a3309b0c0cf72886062
SHA1a8bff2748ebfdd7c59063d7887798a5d69a947e5
SHA256d5cd33313d1853d360a62e514851d6b408894ddba09c509bd54bf824abcabe92
SHA512d2219b1b28a541ef69035a8981cb3e0b7d406d44e7f181e6451c39ba6002eabfe59f2714edc77586c479415176719df5e3dbce05979a896db1f519e6b5313ace