Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 04:23

General

  • Target

    2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe

  • Size

    447KB

  • MD5

    2ce35c36903ad6e372ab53011e3b8820

  • SHA1

    b804f66019f09df78eb7e02af03244911e3d1a3f

  • SHA256

    eb7e28ae2e5f7628fa2838fa3424952ba50e76e8f003b36115a035d19b22662b

  • SHA512

    986d80c52febb709076f200ebafcd2b336f7c962b85ae58d0fc6564da8c4353a53c2fa62ce1b6a1251c27ca3785299e74f881de9873b23e7cf42b796fa0ffcc8

  • SSDEEP

    12288:hPnA65XwlYgrHy6V17kr8+m73q+pgkxzdxRlabQYtCAZ5cIkKix:hPJwlBrygOW3q49ldx7XIa

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:3000
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\$$a18ED.bat
            3⤵
            • Deletes itself
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
              "C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2828
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:2636
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2488
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:2592

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

            Filesize

            258KB

            MD5

            a4c8106e6b09119bbdf16d697e5562fc

            SHA1

            ca9fc6811703e29f7752f3a13e114fe904d0ebaa

            SHA256

            184bfec75adf37374d96cb6ae5ea764fbeff8618090ad0618eb99cd4d620a606

            SHA512

            8ea21582fc055e1e90fbfc92778c62f6aefa2681504b8c5a7d63e6e27f8064f9dffc4251765d3e3f15737cbc136cfa5c1c1e864246b8808659e56addc75e976d

          • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

            Filesize

            478KB

            MD5

            5264aab343fc1f53c29d1065346d0010

            SHA1

            db43bc0b28b4ada0c5635db50fd0b64410ab76ad

            SHA256

            d33d56847b353c8207a43aa01cc75527328ebf4bba669e90e29266d1b6fb57dd

            SHA512

            bb4ba1f7c5cae56cef564dd99f1a1fd3e2c656f8004f689a22ea641d886cbb3a19dde3dce5be4cf8cee4ce190170fd8c5390cb9c7c40ae54109559685119a958

          • C:\Users\Admin\AppData\Local\Temp\$$a18ED.bat

            Filesize

            620B

            MD5

            407087bb1fbd8d25f455179c88d22b31

            SHA1

            7bcd43ffdd44e648d56b43179dccbc9a733b9628

            SHA256

            9103ad22305055e3fa672c6f6d2b01d9dbfba06a7c5ec1c46ddf594fd84e9d81

            SHA512

            0012104aadc4e3dac7f16cfb9bf43f647cc3ebab29cb575b2471dfe70862c9a0cff7ae2ccb033ae6bfd62281d701f15075ca0e0d4618b8e70ff8886ef1ae0c86

          • C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe.exe

            Filesize

            413KB

            MD5

            61f00cd504821ba3727f40ba91c0aa38

            SHA1

            1923a6331cf73dde5af1cb5573f35d9cce3a86b6

            SHA256

            7d317c9d43001251d8ba8ad9c81d2959e8a8030927ff3b7ed6a3b91840409552

            SHA512

            f1efd9094f5a6a14e19b2e418605c65be4fc0505e231072503786caefb42651ff9df2d3504c7bb84373097cc25651e495be85003ae45e81bd5e0ce22bb489935

          • C:\Windows\Logo1_.exe

            Filesize

            33KB

            MD5

            a20cdac89a48ae7a0f01bd4686d6cd5f

            SHA1

            df10d5972a5960f8f318e76140a3a2797a62fd3e

            SHA256

            5fc2bdd002b6e88ab0ad4cd67d58daa3c9e2a58df0ad9579d540f6e2320f8c89

            SHA512

            0c2227986fc0fab88c8dcd796f8cc235f8c155c99af38c5210448657d4dfafa387eb4747e118d89baa7cbaa0eb74ad30bebcb1e04fafbe64ef11920358691797

          • F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

            Filesize

            8B

            MD5

            378d822ce12583d0d584184af22d1d77

            SHA1

            c062ac770b028df6db676099e02f09fc2f77b171

            SHA256

            1ad01f8e46c86dfa34468e306eabe54b58d56134130b53ea7677961e3baaf6c7

            SHA512

            23cf7b916de734c6bb6fd3b2beee21f3e82bc95e93d8662dca818d7cf13602706f22671dce61388b2a7e0b613c07c70512331c4132759b16cf438cb1750bc397

          • memory/1192-29-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

            Filesize

            4KB

          • memory/1580-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/1580-17-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2680-24-0x0000000002410000-0x0000000002504000-memory.dmp

            Filesize

            976KB

          • memory/2712-33-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2712-19-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2712-3344-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2712-4174-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2828-25-0x0000000000400000-0x00000000004F4000-memory.dmp

            Filesize

            976KB

          • memory/2828-32-0x0000000000400000-0x00000000004F4000-memory.dmp

            Filesize

            976KB