Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
d63615f4c82a75b9b77ea859821828c0
-
SHA1
702b28837fa023f73fb5538a7edc652ab9bc4634
-
SHA256
cfeee4ebc5b385876df7c1336b88abaddb38b70e035dfaed0882f04587f97955
-
SHA512
7a9ceb3d26dee73c6d1e55e9b33a5518732fbcb603034113a8267b81a7bdb97ff3323b7e24ddeabe17aaffe89cb525330af65f6f98f57607f76cd5d23241da88
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou6:7WNqkOJWmo1HpM0MkTUmu6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2392 explorer.exe 2956 spoolsv.exe 2612 svchost.exe 2512 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2208 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 2208 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 2392 explorer.exe 2392 explorer.exe 2956 spoolsv.exe 2956 spoolsv.exe 2612 svchost.exe 2612 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 2392 explorer.exe 2392 explorer.exe 2392 explorer.exe 2612 svchost.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe 2392 explorer.exe 2612 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2392 explorer.exe 2612 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2208 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 2208 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 2392 explorer.exe 2392 explorer.exe 2956 spoolsv.exe 2956 spoolsv.exe 2612 svchost.exe 2612 svchost.exe 2512 spoolsv.exe 2512 spoolsv.exe 2392 explorer.exe 2392 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2392 2208 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2392 2208 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2392 2208 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2392 2208 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 28 PID 2392 wrote to memory of 2956 2392 explorer.exe 29 PID 2392 wrote to memory of 2956 2392 explorer.exe 29 PID 2392 wrote to memory of 2956 2392 explorer.exe 29 PID 2392 wrote to memory of 2956 2392 explorer.exe 29 PID 2956 wrote to memory of 2612 2956 spoolsv.exe 30 PID 2956 wrote to memory of 2612 2956 spoolsv.exe 30 PID 2956 wrote to memory of 2612 2956 spoolsv.exe 30 PID 2956 wrote to memory of 2612 2956 spoolsv.exe 30 PID 2612 wrote to memory of 2512 2612 svchost.exe 31 PID 2612 wrote to memory of 2512 2612 svchost.exe 31 PID 2612 wrote to memory of 2512 2612 svchost.exe 31 PID 2612 wrote to memory of 2512 2612 svchost.exe 31 PID 2612 wrote to memory of 3036 2612 svchost.exe 32 PID 2612 wrote to memory of 3036 2612 svchost.exe 32 PID 2612 wrote to memory of 3036 2612 svchost.exe 32 PID 2612 wrote to memory of 3036 2612 svchost.exe 32 PID 2612 wrote to memory of 2552 2612 svchost.exe 36 PID 2612 wrote to memory of 2552 2612 svchost.exe 36 PID 2612 wrote to memory of 2552 2612 svchost.exe 36 PID 2612 wrote to memory of 2552 2612 svchost.exe 36 PID 2612 wrote to memory of 3000 2612 svchost.exe 38 PID 2612 wrote to memory of 3000 2612 svchost.exe 38 PID 2612 wrote to memory of 3000 2612 svchost.exe 38 PID 2612 wrote to memory of 3000 2612 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
C:\Windows\SysWOW64\at.exeat 16:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3036
-
-
C:\Windows\SysWOW64\at.exeat 16:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2552
-
-
C:\Windows\SysWOW64\at.exeat 16:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3000
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD53b07a852d7e05f18a9fd5c32b423127b
SHA1e8ae0add448f8988180c0dcc41f1afac373198ac
SHA2567d534f19fc3a6e328e008dc2c9c9898f25a92786b1d81beb05f3d99d677ab7db
SHA51268287142578cf38096ba279c813b95214768797ed14673bec18e070c05293eb78743c4ffc70b1eedadb322007c99aec3cdaac364bdba4423e51d89d39715fe95
-
Filesize
65KB
MD51d935ea203b5f5190ad38941616a42a4
SHA1ea55b5a3ea14cd306d5b0e23cd2f7f967b387d97
SHA2564b452ece5beb55c57b0b9deb161213214e8e11375e76e0cd00922cf41a9820ea
SHA51270ed0af69109fa5f2b154acd4eae7f66bf9a7ccaf11adc7b033c55b336af62ba0b3ed01bbd5ddc527613d18b1130112b2fd82180ec81f6ed5629cef58d0bff89
-
Filesize
65KB
MD516e2f16e696b8a976fcf0555f18968d3
SHA1f00007a21ded50bf5b12b01200dc6a29deeddb3d
SHA256ca02c12e50def5f2f648be29d759a76505a1846cc34ad122afa8b587ebf7330b
SHA512823f4e2469963cf82aba30ba29e140405dbc82207dde777f38f70f9613912c206fff198b0edc86da7a92e06635ab2dc0dada3c43857fcb5aeed3eb415a56ad2d
-
Filesize
65KB
MD54ef617fcc35df8600626eb01089690c1
SHA1c27e8d5626d9a72d05e16a52d53539d4e73b806d
SHA256a17ec617c0f8877b1d0d97d49e4ed9923266d47ce143c40731c2605816897386
SHA5128d67f19e33396a7e6592d9f938f15d72ed29e3227a3cd180b1746b8f1d1c6f2a76ca9e3f1c29a3bf1415f64be45ed797fae011091d21de1f625fa583e74f9a91