Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe
-
Size
206KB
-
MD5
d15f162143ecf24dc8033a92b7af21b0
-
SHA1
e2a17ff3f08464b64e40188ebe2603fbac3ff169
-
SHA256
9b488fea68a6f383be27b1506d5d4b7e73840126037578d97b992aada9a4f5a4
-
SHA512
5e47ded8736d64252a0e2e12be55e432f73e5b6f23a6ad6ce7bd01e8b5b4e4c3e25cdcd38cccfe1e140472f6b3c3d6f44a62122a279f18da208fd387f1efee74
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLx:5vEN2U+T6i5LirrllHy4HUcMQY6Kx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2760 explorer.exe 1464 spoolsv.exe 2664 svchost.exe 3000 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2220 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 2220 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 2760 explorer.exe 2760 explorer.exe 1464 spoolsv.exe 1464 spoolsv.exe 2664 svchost.exe 2664 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2220 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 2760 explorer.exe 2760 explorer.exe 2760 explorer.exe 2664 svchost.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe 2760 explorer.exe 2664 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2760 explorer.exe 2664 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2220 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 2220 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 2760 explorer.exe 2760 explorer.exe 1464 spoolsv.exe 1464 spoolsv.exe 2664 svchost.exe 2664 svchost.exe 3000 spoolsv.exe 3000 spoolsv.exe 2760 explorer.exe 2760 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2760 2220 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 2760 2220 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 2760 2220 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 2760 2220 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 28 PID 2760 wrote to memory of 1464 2760 explorer.exe 29 PID 2760 wrote to memory of 1464 2760 explorer.exe 29 PID 2760 wrote to memory of 1464 2760 explorer.exe 29 PID 2760 wrote to memory of 1464 2760 explorer.exe 29 PID 1464 wrote to memory of 2664 1464 spoolsv.exe 30 PID 1464 wrote to memory of 2664 1464 spoolsv.exe 30 PID 1464 wrote to memory of 2664 1464 spoolsv.exe 30 PID 1464 wrote to memory of 2664 1464 spoolsv.exe 30 PID 2664 wrote to memory of 3000 2664 svchost.exe 31 PID 2664 wrote to memory of 3000 2664 svchost.exe 31 PID 2664 wrote to memory of 3000 2664 svchost.exe 31 PID 2664 wrote to memory of 3000 2664 svchost.exe 31 PID 2664 wrote to memory of 2588 2664 svchost.exe 32 PID 2664 wrote to memory of 2588 2664 svchost.exe 32 PID 2664 wrote to memory of 2588 2664 svchost.exe 32 PID 2664 wrote to memory of 2588 2664 svchost.exe 32 PID 2664 wrote to memory of 1192 2664 svchost.exe 36 PID 2664 wrote to memory of 1192 2664 svchost.exe 36 PID 2664 wrote to memory of 1192 2664 svchost.exe 36 PID 2664 wrote to memory of 1192 2664 svchost.exe 36 PID 2664 wrote to memory of 2056 2664 svchost.exe 38 PID 2664 wrote to memory of 2056 2664 svchost.exe 38 PID 2664 wrote to memory of 2056 2664 svchost.exe 38 PID 2664 wrote to memory of 2056 2664 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3000
-
-
C:\Windows\SysWOW64\at.exeat 10:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2588
-
-
C:\Windows\SysWOW64\at.exeat 10:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1192
-
-
C:\Windows\SysWOW64\at.exeat 10:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2056
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5a953ae3fd2d62969a3aee17c53e64e31
SHA16ddc72b281b8940822eda05df41e38f1c650e84a
SHA2568a20bf38e876531b52267c8dabac48bfc369a4f945820f89c38cbc7c3b190d1d
SHA512ca86fde17e093d7c7facf9a040a7aead36940997141d566feb55cf6984417cbef0277393c657ca3a69024b460346ab671afa725e2eb0953ce5a098c466b7e608
-
Filesize
206KB
MD5b88c7f992165cf68890c00fd472b7d8d
SHA14b3e2af71f39671b7b09fa6ef359724dfad42b78
SHA25673584ce7d0356db818402cce57467f24ea2d682d9778b54f87a7debfee30a145
SHA5123403c5e88878d0fcc56b2522dd50febe1074e521b4b392088e2c58a95cdb633c0cb462ac7437ff20e749d8913e85a7776c3fde6887602a20fcfb00d224c7b0e1
-
Filesize
206KB
MD558b2e99a9217b6af05d9c57811912303
SHA1d9790850c072b06026446b39268ce22ed0cd3710
SHA256d4c8284f5a548935337838d4cea7c1b9e921246d42471b31ebb42413353d6a62
SHA5125a7fe2330d689fac624e308f197838d0d7f1467c172b61eba6b39cbd35a0a094bd2f25e8dcc381dd5a1ac395818c6b77f14240e64f400b21b04d1c78dfe7a6af
-
Filesize
206KB
MD5e4492e6b439249497d4c7a34a51b4485
SHA1690e360893e9622fb5ec4cc34880398edc0fb3b4
SHA2562e50bb957aac2e2aa4595c9df654702c1a57eb6330aa6e35dd94163fd0d60163
SHA5121e1989d10f9b938eafc3623d73e6f798da5e634bf5fb8f5f4f9dae41511a328d4b4a04ade93c1d8d5bb3b95120d233095950954bec63a9e1b341bd77514e9457