Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
05/06/2024, 04:29
General
-
Target
3a1ea64a35150d3b801385aa1420e0c0_NeikiAnalytics.dll
-
Size
484KB
-
MD5
3a1ea64a35150d3b801385aa1420e0c0
-
SHA1
ab832ada796e2a83a8e1331bc59a0ae75b195d89
-
SHA256
b34ef1aeed03e2cf0ec4b61d6906c2efa890d1c306094959bb43cf51ed2ae935
-
SHA512
8407d84d402151055d96d45c2d6286274b4d55e3313063def90ea3edf612c1ce8b5ddf422ef1885f3dbbd8034955e606e2447977c1edff647c933d02b76a9660
-
SSDEEP
6144:ti05kH9OyU2uv5SRf/FWgFgtbgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:YrHGPv5SmptsDmUWuVZkxikdXcq
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3a1ea64a35150d3b801385aa1420e0c0_NeikiAnalytics.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\sdchange.exeC:\Windows\system32\sdchange.exe1⤵
-
C:\Windows\system32\sdiagnhost.exeC:\Windows\system32\sdiagnhost.exe1⤵
-
C:\Windows\system32\PresentationHost.exeC:\Windows\system32\PresentationHost.exe1⤵
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\BBurCu.cmd1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"2⤵
-
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe1⤵
-
C:\Windows\system32\TSTheme.exeC:\Windows\system32\TSTheme.exe1⤵
-
C:\Windows\system32\wiaacmgr.exeC:\Windows\system32\wiaacmgr.exe1⤵
-
C:\Windows\system32\TSTheme.exeC:\Windows\system32\TSTheme.exe1⤵
-
C:\Windows\system32\userinit.exeC:\Windows\system32\userinit.exe1⤵
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Lf5xmx.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\oTP.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Kzcfjezwvyzrv" /SC minute /MO 60 /TR "C:\Windows\system32\2821\wextract.exe" /RL highest3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245B
MD5be53ebaa79bfed0c56301c212f67b15c
SHA1f72e1bfc4e4c411bfbb29380876f6caef46beef9
SHA2564afb8b5e44599b6968ecde6a21decf168c264586e8fe22a6c250ea715ae996b7
SHA5120d5e6eb4a6a993c172b2e1b806d226c021c3f9513a5ffe9b601dc3e3759f57bcea11cca781395337a45df18589c5e0557ace98151f7fa74c856d74b914f98a2d
-
Filesize
195B
MD5aafdd9408a71d549963d769bc87ae79f
SHA1f1d16d01559a758e8f63128f42efe17eb35cc3e2
SHA25677e5ca51a16e123ee7ba1a5c5a0d291044fc4a6c91a9547522538bf42bdef7b8
SHA512bc6767e23d59fd97741d2361655c92923d1ca2ddb3a9553395b3e8126fa2812984589f30cd8c322b563b8628b20e6edb5c1ba5105ce59dc785378072684f89d5
-
Filesize
488KB
MD530d707b291bb306e223494e392aa6103
SHA1cf18bcf84853c0e9c76023b3bdd9cf5bfb9b11b0
SHA2567693d09aaa3f21f08312f720628ac13bad1bc41c91b96d6a36a052b80027466a
SHA5122cac66afad43448470ab53381c13d612a9e6c3756051ab1149c4afd9b6d0d2a5a6cb51873b67f4dfec5c1808efdf47c0d970d14d638e89e51e151cabb5d6225f
-
Filesize
488KB
MD599cec81d0ccf3c681b58ab967f13815c
SHA17b6ddc74087630f16c2f1689afb20da7fd37da22
SHA256032ad6e6e14643c4b89919e1f827ae1830e1aaced5f0492242a3b59f03f30726
SHA5120cfed8d45208522d8bf10455e8149ebfca1c4bbfe8918ba0332767c71556d847be87a64e0b63c639c3bfb4c628b9818d47248d1562d8c13929bf3fce8e8f9b83
-
Filesize
132B
MD504c345eec506fa02033acfb7f6a9a30d
SHA14ad6314f35d070d5551a42ad33bea96ec41b830a
SHA256fd1748d48579390654c07c3665554eded21691f4b762de7373616a4461ebbb0a
SHA51226e82ce301ff4ff59510908977e9cbfbb0eceeace4fccf7b7620bbc8eba216f08cc10be9a5e60ea9b056cff7d12747b7c69b4dba073b965a19e8227f8bfd3d81
-
Filesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af
-
Filesize
948B
MD510392731c3dacd7cd84b4de004a1ff85
SHA17893452a523b7245311634db84f161417c61b647
SHA256a7b1558c42cd62841a15d5aed22d94182d1fbe71ee76b985747dd48cbdde89ba
SHA512b182142e1de79edb409765d68c3b726aaebe1529a1b9005f752cabf7b14065734ce29ba35c826a90f3f8812d25de13497c891e4cbd496df7def6918f66ca0514
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
4KB
-
Filesize
484KB
-
Filesize
4KB
-
Filesize
484KB
-
Filesize
28KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
8KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
484KB
-
Filesize
28KB
-
Filesize
484KB