Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe
-
Size
206KB
-
MD5
d15f162143ecf24dc8033a92b7af21b0
-
SHA1
e2a17ff3f08464b64e40188ebe2603fbac3ff169
-
SHA256
9b488fea68a6f383be27b1506d5d4b7e73840126037578d97b992aada9a4f5a4
-
SHA512
5e47ded8736d64252a0e2e12be55e432f73e5b6f23a6ad6ce7bd01e8b5b4e4c3e25cdcd38cccfe1e140472f6b3c3d6f44a62122a279f18da208fd387f1efee74
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLx:5vEN2U+T6i5LirrllHy4HUcMQY6Kx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1576 explorer.exe 3380 spoolsv.exe 1256 svchost.exe 4020 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2640 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 2640 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1256 svchost.exe 1256 svchost.exe 1256 svchost.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1256 svchost.exe 1256 svchost.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1256 svchost.exe 1576 explorer.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1576 explorer.exe 1256 svchost.exe 1256 svchost.exe 1576 explorer.exe 1256 svchost.exe 1576 explorer.exe 1576 explorer.exe 1576 explorer.exe 1256 svchost.exe 1256 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1256 svchost.exe 1576 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2640 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 2640 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 1576 explorer.exe 1576 explorer.exe 3380 spoolsv.exe 3380 spoolsv.exe 1256 svchost.exe 1256 svchost.exe 4020 spoolsv.exe 4020 spoolsv.exe 1576 explorer.exe 1576 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2640 wrote to memory of 1576 2640 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 90 PID 2640 wrote to memory of 1576 2640 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 90 PID 2640 wrote to memory of 1576 2640 d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe 90 PID 1576 wrote to memory of 3380 1576 explorer.exe 91 PID 1576 wrote to memory of 3380 1576 explorer.exe 91 PID 1576 wrote to memory of 3380 1576 explorer.exe 91 PID 3380 wrote to memory of 1256 3380 spoolsv.exe 92 PID 3380 wrote to memory of 1256 3380 spoolsv.exe 92 PID 3380 wrote to memory of 1256 3380 spoolsv.exe 92 PID 1256 wrote to memory of 4020 1256 svchost.exe 93 PID 1256 wrote to memory of 4020 1256 svchost.exe 93 PID 1256 wrote to memory of 4020 1256 svchost.exe 93 PID 1256 wrote to memory of 5028 1256 svchost.exe 94 PID 1256 wrote to memory of 5028 1256 svchost.exe 94 PID 1256 wrote to memory of 5028 1256 svchost.exe 94 PID 1256 wrote to memory of 2360 1256 svchost.exe 112 PID 1256 wrote to memory of 2360 1256 svchost.exe 112 PID 1256 wrote to memory of 2360 1256 svchost.exe 112 PID 1256 wrote to memory of 1104 1256 svchost.exe 121 PID 1256 wrote to memory of 1104 1256 svchost.exe 121 PID 1256 wrote to memory of 1104 1256 svchost.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d15f162143ecf24dc8033a92b7af21b0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4020
-
-
C:\Windows\SysWOW64\at.exeat 10:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:5028
-
-
C:\Windows\SysWOW64\at.exeat 10:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2360
-
-
C:\Windows\SysWOW64\at.exeat 10:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1104
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4088,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:81⤵PID:1040
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD547a292c7faf981514ed2e87200ddfde9
SHA1dcdcf34e6c868a00e35bdf2f49df6df24f779b1d
SHA25650d6bc3db47f7499f8bebfa6da0b78856df185f2d31582fbab2f38fd332bac12
SHA512d88a11ebf3b1b001b2f5c4918d9f9aa520b16d76319c4230ef8f71246f8c941fc75c84361b21343426825f5f38660eb953f9abec557cae925e29d7aad3e6a063
-
Filesize
206KB
MD5455942f0bc0395ae9f446a24fb3613b0
SHA1932d9d005485426cecca5d373c404c16c009f3cf
SHA25684576e9b7ea54b8b953c5008b1ef7be88a4ed7c81f38677922ed900b490374e4
SHA512921acf1e9661fa982ca69a00a8ef96d45744633598ae4f87d1c075bf9a786d9e71a1b355fb0c5a6ec02bc315c264a359c33d0b125142323d494b006e13e9bf8d
-
Filesize
206KB
MD5134a1aa5820381a00e64a3c1bf2eeeab
SHA18753924df3ca82cab87539793e69a63b7cb26305
SHA256a98244466e1532ebf37ba941350646675f3c562abbfa6dcfb7b041efb1e4dc9d
SHA5120e0861573c13871a73caf24911fc449fbf12ca8bd69a79efc146534efedf98aac4338396ad73795e6a23d9250583b30ddbfbe783378907ba22a9723edf0ef24f
-
Filesize
206KB
MD5f4c8369ffe0502a35f45c89c9e0030b5
SHA1425602e7fbc6e058db8aafa32681c7f5f5bcd2f8
SHA2562bd576b85037715078f9408aed7ce04a61075284878e2e0c9dd0b03cd9e101e4
SHA51233b96c77a37756849860bd2f4a32cc228b3aafb393d781669bc362c92afb95d36fb816cf97c27347c4582744d8c8b7c376d22888e269d03c00c968fbf8a70635