Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
d63615f4c82a75b9b77ea859821828c0
-
SHA1
702b28837fa023f73fb5538a7edc652ab9bc4634
-
SHA256
cfeee4ebc5b385876df7c1336b88abaddb38b70e035dfaed0882f04587f97955
-
SHA512
7a9ceb3d26dee73c6d1e55e9b33a5518732fbcb603034113a8267b81a7bdb97ff3323b7e24ddeabe17aaffe89cb525330af65f6f98f57607f76cd5d23241da88
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou6:7WNqkOJWmo1HpM0MkTUmu6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4092 explorer.exe 4804 spoolsv.exe 3776 svchost.exe 3448 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3112 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 3112 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 4092 explorer.exe 4092 explorer.exe 4092 explorer.exe 4092 explorer.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe 4092 explorer.exe 4092 explorer.exe 3776 svchost.exe 3776 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4092 explorer.exe 3776 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3112 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 3112 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 4092 explorer.exe 4092 explorer.exe 4804 spoolsv.exe 4804 spoolsv.exe 3776 svchost.exe 3776 svchost.exe 3448 spoolsv.exe 3448 spoolsv.exe 4092 explorer.exe 4092 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3112 wrote to memory of 4092 3112 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 90 PID 3112 wrote to memory of 4092 3112 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 90 PID 3112 wrote to memory of 4092 3112 d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe 90 PID 4092 wrote to memory of 4804 4092 explorer.exe 91 PID 4092 wrote to memory of 4804 4092 explorer.exe 91 PID 4092 wrote to memory of 4804 4092 explorer.exe 91 PID 4804 wrote to memory of 3776 4804 spoolsv.exe 92 PID 4804 wrote to memory of 3776 4804 spoolsv.exe 92 PID 4804 wrote to memory of 3776 4804 spoolsv.exe 92 PID 3776 wrote to memory of 3448 3776 svchost.exe 93 PID 3776 wrote to memory of 3448 3776 svchost.exe 93 PID 3776 wrote to memory of 3448 3776 svchost.exe 93 PID 3776 wrote to memory of 212 3776 svchost.exe 94 PID 3776 wrote to memory of 212 3776 svchost.exe 94 PID 3776 wrote to memory of 212 3776 svchost.exe 94 PID 3776 wrote to memory of 4612 3776 svchost.exe 112 PID 3776 wrote to memory of 4612 3776 svchost.exe 112 PID 3776 wrote to memory of 4612 3776 svchost.exe 112 PID 3776 wrote to memory of 4408 3776 svchost.exe 121 PID 3776 wrote to memory of 4408 3776 svchost.exe 121 PID 3776 wrote to memory of 4408 3776 svchost.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3448
-
-
C:\Windows\SysWOW64\at.exeat 16:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:212
-
-
C:\Windows\SysWOW64\at.exeat 16:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4612
-
-
C:\Windows\SysWOW64\at.exeat 16:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4408
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:81⤵PID:1976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD52361b9e7289e172560ab3b0e587d8a5e
SHA1f15f10e3154063a896fdfc3a015f60556bfad8b3
SHA256b3e1398151d2978128df8bf85b2441d3452623c6857d1a9f23723edc42875f0e
SHA512ee78559594db236c413c68087bacbce3244f6091dd94e1fac5f31e9cbd4d142cbb0c40acf97ceab56fa67dd9ffcf23130c5b6daa01e41146f44d965c92dd3173
-
Filesize
65KB
MD5c004b06ec3418d04a2771af4184e4c55
SHA11c9c7a3fed004795a6cd46d48155837b10dfbbc0
SHA256701df71d54899de1d1c7b374ca478e05f0c4df7455753f1df6387cb6a33b2b36
SHA5125198c87418dd0436862230ec47c8dc36a3e1bbbe80f0e016f60e6a8495ad8a838a91ba71395f1e87898eef7d033133131f4c5ad461634cbba358ed545863c7c2
-
Filesize
65KB
MD59d0c37f86f5ac0d288a4dfaa417bc8d6
SHA12ebb45845f2c1753336d4cb0a4ff0318182f744a
SHA256771f9e9690a55aa321af621c8c926b70e1b060ee23838fc16e77862db6892a58
SHA512dca33df58564437d23efc552674f5bcd1b2096d424698a75fd46088413d90286614a949beecf3175b3c482f5ed6792da9457d08b492421f1ec90af5a22260ecc
-
Filesize
65KB
MD51c2dcfbd46da6bf77ffd84af08b078f9
SHA13190f7e8be3b2188fe37ef0a750d81d1759fa594
SHA25691b9914f48fa7b7e258e6b85f6a27d1019f37a9622c531ea493ef3636c3dcde2
SHA512459a5551b9f3050c967ebfc48c6c245541de1cbff23e15df1d764c679dbb849828c2b48c1fd3d323fa0e95b7751d16b3ceaf035c8d5029a6c9e0b42975083cf9