Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d63615f4c8...cs.exe

windows7-x64

10

d63615f4c8...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    d63615f4c82a75b9b77ea859821828c0

  • SHA1

    702b28837fa023f73fb5538a7edc652ab9bc4634

  • SHA256

    cfeee4ebc5b385876df7c1336b88abaddb38b70e035dfaed0882f04587f97955

  • SHA512

    7a9ceb3d26dee73c6d1e55e9b33a5518732fbcb603034113a8267b81a7bdb97ff3323b7e24ddeabe17aaffe89cb525330af65f6f98f57607f76cd5d23241da88

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou6:7WNqkOJWmo1HpM0MkTUmu6

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2208
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2392
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2956
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2612
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2512
          • C:\Windows\SysWOW64\at.exe
            at 16:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3036
            • C:\Windows\SysWOW64\at.exe
              at 16:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2552
              • C:\Windows\SysWOW64\at.exe
                at 16:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3000

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          3b07a852d7e05f18a9fd5c32b423127b

          SHA1

          e8ae0add448f8988180c0dcc41f1afac373198ac

          SHA256

          7d534f19fc3a6e328e008dc2c9c9898f25a92786b1d81beb05f3d99d677ab7db

          SHA512

          68287142578cf38096ba279c813b95214768797ed14673bec18e070c05293eb78743c4ffc70b1eedadb322007c99aec3cdaac364bdba4423e51d89d39715fe95

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          65KB

          MD5

          1d935ea203b5f5190ad38941616a42a4

          SHA1

          ea55b5a3ea14cd306d5b0e23cd2f7f967b387d97

          SHA256

          4b452ece5beb55c57b0b9deb161213214e8e11375e76e0cd00922cf41a9820ea

          SHA512

          70ed0af69109fa5f2b154acd4eae7f66bf9a7ccaf11adc7b033c55b336af62ba0b3ed01bbd5ddc527613d18b1130112b2fd82180ec81f6ed5629cef58d0bff89

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          65KB

          MD5

          16e2f16e696b8a976fcf0555f18968d3

          SHA1

          f00007a21ded50bf5b12b01200dc6a29deeddb3d

          SHA256

          ca02c12e50def5f2f648be29d759a76505a1846cc34ad122afa8b587ebf7330b

          SHA512

          823f4e2469963cf82aba30ba29e140405dbc82207dde777f38f70f9613912c206fff198b0edc86da7a92e06635ab2dc0dada3c43857fcb5aeed3eb415a56ad2d

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          65KB

          MD5

          4ef617fcc35df8600626eb01089690c1

          SHA1

          c27e8d5626d9a72d05e16a52d53539d4e73b806d

          SHA256

          a17ec617c0f8877b1d0d97d49e4ed9923266d47ce143c40731c2605816897386

          SHA512

          8d67f19e33396a7e6592d9f938f15d72ed29e3227a3cd180b1746b8f1d1c6f2a76ca9e3f1c29a3bf1415f64be45ed797fae011091d21de1f625fa583e74f9a91

          Download Submit

        • memory/2208-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2208-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2208-64-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2208-20-0x0000000001DD0000-0x0000000001E01000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2208-19-0x0000000001DD0000-0x0000000001E01000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2208-77-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2208-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2208-76-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2208-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2208-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2392-80-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2392-79-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2392-90-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2392-30-0x0000000002490000-0x00000000024C1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2392-17-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2392-21-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2512-70-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2512-65-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2612-55-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2612-81-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2956-74-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2956-53-0x0000000001DF0000-0x0000000001E21000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2956-54-0x0000000001DF0000-0x0000000001E21000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2956-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2956-37-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2956-36-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download