Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 10:30

General

  • Target

    d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe

  • Size

    206KB

  • MD5

    d15f162143ecf24dc8033a92b7af21b0

  • SHA1

    e2a17ff3f08464b64e40188ebe2603fbac3ff169

  • SHA256

    9b488fea68a6f383be27b1506d5d4b7e73840126037578d97b992aada9a4f5a4

  • SHA512

    5e47ded8736d64252a0e2e12be55e432f73e5b6f23a6ad6ce7bd01e8b5b4e4c3e25cdcd38cccfe1e140472f6b3c3d6f44a62122a279f18da208fd387f1efee74

  • SSDEEP

    3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLx:5vEN2U+T6i5LirrllHy4HUcMQY6Kx

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2640
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1576
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3380
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1256
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4020
          • C:\Windows\SysWOW64\at.exe
            at 10:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:5028
            • C:\Windows\SysWOW64\at.exe
              at 10:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2360
              • C:\Windows\SysWOW64\at.exe
                at 10:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1104
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4088,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
          1⤵
            PID:1040

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe

            Filesize

            206KB

            MD5

            47a292c7faf981514ed2e87200ddfde9

            SHA1

            dcdcf34e6c868a00e35bdf2f49df6df24f779b1d

            SHA256

            50d6bc3db47f7499f8bebfa6da0b78856df185f2d31582fbab2f38fd332bac12

            SHA512

            d88a11ebf3b1b001b2f5c4918d9f9aa520b16d76319c4230ef8f71246f8c941fc75c84361b21343426825f5f38660eb953f9abec557cae925e29d7aad3e6a063

          • C:\Windows\System\explorer.exe

            Filesize

            206KB

            MD5

            455942f0bc0395ae9f446a24fb3613b0

            SHA1

            932d9d005485426cecca5d373c404c16c009f3cf

            SHA256

            84576e9b7ea54b8b953c5008b1ef7be88a4ed7c81f38677922ed900b490374e4

            SHA512

            921acf1e9661fa982ca69a00a8ef96d45744633598ae4f87d1c075bf9a786d9e71a1b355fb0c5a6ec02bc315c264a359c33d0b125142323d494b006e13e9bf8d

          • C:\Windows\System\spoolsv.exe

            Filesize

            206KB

            MD5

            134a1aa5820381a00e64a3c1bf2eeeab

            SHA1

            8753924df3ca82cab87539793e69a63b7cb26305

            SHA256

            a98244466e1532ebf37ba941350646675f3c562abbfa6dcfb7b041efb1e4dc9d

            SHA512

            0e0861573c13871a73caf24911fc449fbf12ca8bd69a79efc146534efedf98aac4338396ad73795e6a23d9250583b30ddbfbe783378907ba22a9723edf0ef24f

          • C:\Windows\System\svchost.exe

            Filesize

            206KB

            MD5

            f4c8369ffe0502a35f45c89c9e0030b5

            SHA1

            425602e7fbc6e058db8aafa32681c7f5f5bcd2f8

            SHA256

            2bd576b85037715078f9408aed7ce04a61075284878e2e0c9dd0b03cd9e101e4

            SHA512

            33b96c77a37756849860bd2f4a32cc228b3aafb393d781669bc362c92afb95d36fb816cf97c27347c4582744d8c8b7c376d22888e269d03c00c968fbf8a70635

          • memory/1256-26-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2640-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2640-37-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3380-36-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4020-35-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB