Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f5001c1df6...cs.dll

windows7-x64

7

f5001c1df6...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5001c1df67bfa094b926d42dcc9a090_NeikiAnalytics.dll

  • Size

    1.0MB

  • MD5

    f5001c1df67bfa094b926d42dcc9a090

  • SHA1

    9ef324afabe160afbf148e5b0427ae64bbae41cb

  • SHA256

    f99ccad6f539e977685c4e6382623cb3e1e5d60a6977895009bc5cb92a9d23ee

  • SHA512

    7c37238d3b58a11043359ecdf23bdfdedfdfa6ebf6bee642f0014ed9253c7adc5853bd7645465e45dee9fa56d71f8acc9db98881df66c2314a9a4a8d86000e1f

  • SSDEEP

    6144:5i05kH9OyU2uv5SRf/FWgFgtLgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT+:crHGPv5SmptcDmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5001c1df67bfa094b926d42dcc9a090_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1284
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:2936
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\JEYYx.cmd
      1⤵
        PID:2692
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{7b98aa95-b212-23e5-3cc8-426819761c96}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{7b98aa95-b212-23e5-3cc8-426819761c96}"
          2⤵
            PID:2572
        • C:\Windows\system32\raserver.exe
          C:\Windows\system32\raserver.exe
          1⤵
            PID:2628
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\pEoXkio.cmd
            1⤵
            • Drops file in System32 directory
            PID:3040
          • C:\Windows\System32\eventvwr.exe
            "C:\Windows\System32\eventvwr.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\LIAd.cmd
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2568
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Create /F /TN "Rkbail" /SC minute /MO 60 /TR "C:\Windows\system32\5284\raserver.exe" /RL highest
                3⤵
                • Creates scheduled task(s)
                PID:2768

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\JEYYx.cmd
            Filesize

            245B

            MD5

            9fdca45bda7d12c1b1f6f6c739941378

            SHA1

            beca906d86d0603bc5ed2b5a6c0d888d468680fd

            SHA256

            9e1842c1397bb73fec91968d60ca7df5bf5535eb20079139c1bd0befba45fda7

            SHA512

            8491bd4a44f5585294b0cd4ee13dd381c15683863694d99752908253a76c20e75b11d6f8cb1ece8e26bb1efae0b33c5368208d3d2f3f53fcf2665f3a6f62621a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\LIAd.cmd
            Filesize

            125B

            MD5

            e74b57ae7336718bd9ac30cdf17bbdc6

            SHA1

            22f4f031e4d7c7ada953d6dac550f41d836fcf6a

            SHA256

            c49648729476218b9eb787e6795764353cd6e9a05a2615c9b0f7e4d9bf0cd334

            SHA512

            13b944f94516262344555021f8a2f1313de4351303afdb58595f989c3a91e42c716b904309f5a55cf847722d3963df8dbb53003008c70ad90628eface34d472e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\fG4164.tmp
            Filesize

            1.0MB

            MD5

            a7b88e4cb43173afeb3a0eafcc5790de

            SHA1

            04bc113d6cd9fb8cafa840d98fb88590aa7b926c

            SHA256

            473bd0a6f61b2147b7a9024056d4aa6880443dce5f693f8475f7f3f622f39889

            SHA512

            f774ad33ab8373e52b784078bcc49f97a3aa545cf6b2463b81cae5262bec41eb483ea255055b841d996bb6b5cd9f9f2359730186385b5648580a0b9939ff9253

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\kj426E.tmp
            Filesize

            1.0MB

            MD5

            9470694a870dfd1649ae01a78998ef78

            SHA1

            16a7ac45d6c403933aedf49ce7c1a622f22993d7

            SHA256

            8b3507d6c841e40a7c0e3dea29bafd1eb9ab92dd1630b3e31f51a3a87d2b973f

            SHA512

            5d8149ac5df9714a126b263eb3e3bad8d354a51a5fcbd00bdabaac48a3826a6dfdf99e33a31ed8a8ebad739334b3c1b4b9bada885469748d506134b813f0b9b2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\pEoXkio.cmd
            Filesize

            195B

            MD5

            bf76fd5e5a8db4b5a4f6cf52b338b1b6

            SHA1

            c9855034d45ea8f147ba504c3975293c964aa385

            SHA256

            171a874c98de9d2b4be0ea313d12d1767a3bb250a2ff70d467a033e23d6aee73

            SHA512

            c3ef1d492050f4b60bbc4b70ff97d2baf05d956f283bbca92168b7a1eb8b9433413242b5af378dde4eb5fc37d332132d3aef9d91360eff0273d7addf26b20eb3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mqdbvnnwgmqj.lnk
            Filesize

            960B

            MD5

            301ea9f12266a30e69a83d846602738b

            SHA1

            c397d395bf71efd2356bd707dcbfae7535d24c72

            SHA256

            0799a902493329497fa39892b70ab2481d2cc4d86da62f3f4edde53ae5a63a69

            SHA512

            1ee27377ea6ee9851ddd0ef572f2e6b805328f3933c6dd52c025f08f2dd1e073b146470c9ec60c1986cde2ed61caeafc2569d8813106f23059e4fbb21b8228e9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\T5jVY4\SystemPropertiesRemote.exe
            Filesize

            80KB

            MD5

            d0d7ac869aa4e179da2cc333f0440d71

            SHA1

            e7b9a58f5bfc1ec321f015641a60978c0c683894

            SHA256

            5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

            SHA512

            1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

            Download Submit

          • memory/1204-9-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-16-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-97-0x00000000772F6000-0x00000000772F7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1204-8-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-7-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-32-0x0000000002EE0000-0x0000000002EE7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1204-31-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-24-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-23-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-22-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-21-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-20-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-19-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-18-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-17-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-10-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-15-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-14-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-33-0x0000000077501000-0x0000000077502000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1204-42-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-11-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-12-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-13-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-46-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1204-45-0x0000000077660000-0x0000000077662000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1204-3-0x00000000772F6000-0x00000000772F7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1204-4-0x0000000002F00000-0x0000000002F01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1284-6-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1284-2-0x00000000002F0000-0x00000000002F7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1284-0-0x0000000140000000-0x0000000140103000-memory.dmp

            Filesize

            1.0MB

            Download