Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 02:28
Static task
static1
Behavioral task
behavioral1
Sample
2c99aab9e3d6bcc85720cbec53641f00_NeikiAnalytics.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c99aab9e3d6bcc85720cbec53641f00_NeikiAnalytics.dll
Resource
win10v2004-20240426-en
General
-
Target
2c99aab9e3d6bcc85720cbec53641f00_NeikiAnalytics.dll
-
Size
10.0MB
-
MD5
2c99aab9e3d6bcc85720cbec53641f00
-
SHA1
ea52b70e08386fdfc9115abd09ba6b3e8e9e9838
-
SHA256
8ef202906116e43b8cec82b85b21f24c3fbe499b0e5880c6d30781723326bf73
-
SHA512
bd0eb3bf74b7edbbacb0fd06c76d8da0e0dfc66e60313d46cff62e6b6c2a3b6a1636af0a9d6f601319077568aa3e3396a565429fd421f801983f3a59002ab39b
-
SSDEEP
3072:p2LK9Gj4b+XQcVc0Uci3HBBjxRd40suk/nX4wjpGI:c/cNThTRmrJX4wj
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2236 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Lhij\Qhijklmno.bmp rundll32.exe File created C:\Program Files (x86)\Lhij\Qhijklmno.bmp rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe 2236 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1612 rundll32.exe Token: SeRestorePrivilege 1612 rundll32.exe Token: SeBackupPrivilege 1612 rundll32.exe Token: SeRestorePrivilege 1612 rundll32.exe Token: SeBackupPrivilege 1612 rundll32.exe Token: SeRestorePrivilege 1612 rundll32.exe Token: SeBackupPrivilege 1612 rundll32.exe Token: SeRestorePrivilege 1612 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1220 wrote to memory of 1612 1220 rundll32.exe 28 PID 1220 wrote to memory of 1612 1220 rundll32.exe 28 PID 1220 wrote to memory of 1612 1220 rundll32.exe 28 PID 1220 wrote to memory of 1612 1220 rundll32.exe 28 PID 1220 wrote to memory of 1612 1220 rundll32.exe 28 PID 1220 wrote to memory of 1612 1220 rundll32.exe 28 PID 1220 wrote to memory of 1612 1220 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c99aab9e3d6bcc85720cbec53641f00_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c99aab9e3d6bcc85720cbec53641f00_NeikiAnalytics.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2236
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.4MB
MD5ecd1729910fe387bcd87746c1acf9fa3
SHA1fe622e14b54e7bf72d65d8a2495c9c13e5367531
SHA2563f8847a15decde905bfce2112612dff186b34815c930f2769feff34bfa8294f5
SHA51235c17786a087c4f58c3c8c55c5c5bec888a2f131bb7264e31c74110fb8708742db35ddad360355944eaba4e134ec94bf8b44acc274e0f2f8411a662fff1dd12c