Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3a1ea64a35...cs.dll

windows7-x64

7

3a1ea64a35...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a1ea64a35150d3b801385aa1420e0c0_NeikiAnalytics.dll

  • Size

    484KB

  • MD5

    3a1ea64a35150d3b801385aa1420e0c0

  • SHA1

    ab832ada796e2a83a8e1331bc59a0ae75b195d89

  • SHA256

    b34ef1aeed03e2cf0ec4b61d6906c2efa890d1c306094959bb43cf51ed2ae935

  • SHA512

    8407d84d402151055d96d45c2d6286274b4d55e3313063def90ea3edf612c1ce8b5ddf422ef1885f3dbbd8034955e606e2447977c1edff647c933d02b76a9660

  • SSDEEP

    6144:ti05kH9OyU2uv5SRf/FWgFgtbgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:YrHGPv5SmptsDmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a1ea64a35150d3b801385aa1420e0c0_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:228
  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:4832
    • C:\Windows\system32\browserexport.exe
      C:\Windows\system32\browserexport.exe
      1⤵
        PID:4880
      • C:\Windows\system32\audiodg.exe
        C:\Windows\system32\audiodg.exe
        1⤵
          PID:696
        • C:\Windows\system32\cmstp.exe
          C:\Windows\system32\cmstp.exe
          1⤵
            PID:5088
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ACnYWGO.cmd
            1⤵
              PID:4788
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
                2⤵
                  PID:2572
              • C:\Windows\system32\sdchange.exe
                C:\Windows\system32\sdchange.exe
                1⤵
                  PID:1708
                • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
                  C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
                  1⤵
                    PID:2900
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\PYO.cmd
                    1⤵
                    • Drops file in System32 directory
                    PID:5008
                  • C:\Windows\System32\fodhelper.exe
                    "C:\Windows\System32\fodhelper.exe"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:680
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\9y7Qzf.cmd
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3524
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /Create /F /TN "Niazd" /SC minute /MO 60 /TR "C:\Windows\system32\3268\PasswordOnWakeSettingFlyout.exe" /RL highest
                        3⤵
                        • Creates scheduled task(s)
                        PID:2116

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\9y7Qzf.cmd
                    Filesize

                    143B

                    MD5

                    11825e326510756daea0d29c78ae2851

                    SHA1

                    057a4c6a0ac31862df4b0e0b8d8ec0e879ec142f

                    SHA256

                    b22f231931bb9e2ded05af660c23eae1e17c9291413eb59d318fb8e8437822f8

                    SHA512

                    f4e483650c259a9bf5dcbbb936cf23317ad9f4655d0b73d1cb72e95ee43f48305d2753bd08aa68e57e8a8cd7de336f81c7f5aadfdfc8f16d062780999e8e8af5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ACnYWGO.cmd
                    Filesize

                    234B

                    MD5

                    a3208d8899ddcd3a3773bddcd2b92c2f

                    SHA1

                    4dfd3e0ef3b917dc9e956f33622759eb12afdf9c

                    SHA256

                    ae680d55183b60674167e90e7edc17ae7aa53aa376e2a428c2259ee09f1e041b

                    SHA512

                    762add706ba08b3b8755a3ceaaa23bd98fb3ec7b1b88124c61df6030167bbb7910979723739bbbb8d1149bc89c42a884c7a8e34e0cb294dcadb2db101299956a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\GEX610C.tmp
                    Filesize

                    488KB

                    MD5

                    8549a94b5508273a69cc26781cbdcb21

                    SHA1

                    a0feb2926787e6edb227346fba80fd678ceec59b

                    SHA256

                    32238df5ff30dcba7fccf1d33398e40b0645669144a9acc17afcce11de37f931

                    SHA512

                    210b9ebec2634b46ae14e518df4686809ed629e81115667958f926a1f4dc06513ee1a3c4c6e8a1097b6ba9be709fa8e7f73b3e3d90902da074f33aab73a87fc0

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\PYO.cmd
                    Filesize

                    212B

                    MD5

                    8e41f35fcc9948866f0697ec114f6029

                    SHA1

                    2dce4c8d48d87271f6caba342b44b47b80b877ef

                    SHA256

                    59ae54f1c79e11b1cace69be7ddd20dd0bc646f001cf9dcd142149e8457dbb60

                    SHA512

                    2138db6bbd13b27e87b7b275aa7efc310ea676ca571a8b408834df4efe608c9318254683c58afb939dfda959d03aeba24090709e39dab1420e64e36b3f84c529

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\l6207.tmp
                    Filesize

                    488KB

                    MD5

                    8273378fd5c7aacfe22b6a1555ab7ca4

                    SHA1

                    1252b3c4f37d10b3a10ee59195c087d21a3784f6

                    SHA256

                    b63cf97b57916b7932f20c4a4fbd15d9ca5348b0458edb69fd7a3d98a0b15d1a

                    SHA512

                    dc2515ca87d424baccf05ef234883622defb220326e155cdb4facb92c99a86629d3759cb480ee2ef73da4265972565b1c76854a2ecdeeaa59b62020d8885d03b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iphtcfjrejti.lnk
                    Filesize

                    902B

                    MD5

                    20a96eeb16a357d69677bf9a6c74f820

                    SHA1

                    f4b44e0a3fe1c029789041bc893f1116cd4b8056

                    SHA256

                    903482ea72ed1435a7508ba8a6fdfb288434c523056a7603d1f8546961246eb4

                    SHA512

                    55b11000bc0758052e41d081ed1798ccab1d8225981fa883673a204304fc787c29ffdfb1b49e806303f2f7f56fdd9ac979d73f8e48b4b5f0cd2fb275fd7eabf7

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\i6Zrcow\cmstp.exe
                    Filesize

                    96KB

                    MD5

                    4cc43fe4d397ff79fa69f397e016df52

                    SHA1

                    8fd6cf81ad40c9b123cd75611860a8b95c72869c

                    SHA256

                    f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

                    SHA512

                    851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

                    Download Submit

                  • memory/228-0-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/228-5-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/228-2-0x0000017DCF480000-0x0000017DCF487000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/3544-9-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-19-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-24-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-7-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-52-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-8-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-20-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-6-0x00007FFB71F5A000-0x00007FFB71F5B000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3544-42-0x00000000033F0000-0x00000000033F7000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/3544-40-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-31-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-23-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-22-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-43-0x00007FFB734C0000-0x00007FFB734D0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3544-21-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-18-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-17-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-16-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-15-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-14-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-13-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-12-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-11-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-10-0x0000000140000000-0x0000000140079000-memory.dmp

                    Filesize

                    484KB

                    Download

                  • memory/3544-3-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

                    Filesize

                    4KB

                    Download