Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
05/06/2024, 01:26
General
-
Target
2595d6ebf78378d12a336c0b5ff44040_NeikiAnalytics.exe
-
Size
66KB
-
MD5
2595d6ebf78378d12a336c0b5ff44040
-
SHA1
3c4a6ee5ef4ebfbafcb96fcbd11e2b24a0a7bf79
-
SHA256
2a695d24933483add379f6d553d1a6742eb05f7678f6714cee2d2c930558e912
-
SHA512
2a1cf201597fd21968772d351fdbc9664e9781041afc443ce0fafa74059fbd4f90f5a1f9e5a1ddc1f42393714381eb137fa908a136062fddc40713564f6f32df
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXil:IeklMMYJhqezw/pXzH9il
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2595d6ebf78378d12a336c0b5ff44040_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2595d6ebf78378d12a336c0b5ff44040_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 01:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 01:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 01:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD540ca56707cde2e17c287f6841011ab81
SHA1ddd44a8cbb357da854fac6570da01fdb946a1256
SHA256129de7b50f9c6c044457dcfe4b5ff66c2aa211abd060c1a77bb02a5803e26b65
SHA51284be4e87a32a4beb1451cf4c0bd752126ba2f2b56b1249217214a5213f4f818e60d4357b2e83abff829fc3e8d2067d18c2f3bd5bd6d11c74a91be95ca6fd5c57
-
Filesize
66KB
MD5033dd759f62baf12520502b508997bf8
SHA1de2d6917255c8caef3c6b220127f6edea5d1e36a
SHA2564b9a9b2ec99c0aed2366b7826718863704fa4b62b565dba0303b950587e38e90
SHA5121c369fe093860725bdce7bda0cba1437f7d7f04b434fe7f4cd13a524b31a7e7657c52d255e08450b3b39e1acdc12d698b0a25e57f9c46b1b095e4524ca95d97f
-
Filesize
66KB
MD53663a4f87bee464f1a381d933695e7c3
SHA14b507deeb20a09c2e828a7405f053408d29dddbc
SHA25639568b6b33ee282c06c26b445728b7ab17fd05d1a270459ce7082004b24590a3
SHA512b4d6506d3f4e7c8e62349086f37256d69c7e4adf36d6f3d7dce8d40adde2c011049e70fe208d15f8b1e9a7ad7a794b8a1832c58c8bff10bf058b12333bc163aa
-
Filesize
66KB
MD52358647e6d5d643bd39181b93cd39db0
SHA1b9657b7c2207ab3c415e2c83c2dd0ef16875788d
SHA2566c841464796b9e58ed5717a932ef454765915af38c88fd46fc7775570981ebce
SHA512aa815afeb81f80b8732d508fa4a5e2418ca05b30e362f6f76232b565b13d42a3a41111b2adc6118b280b8b7a32418df6b2af41d2a39cb2fa9747666f3738f3d7
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB