Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d63615f4c8...cs.exe

windows7-x64

10

d63615f4c8...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    d63615f4c82a75b9b77ea859821828c0

  • SHA1

    702b28837fa023f73fb5538a7edc652ab9bc4634

  • SHA256

    cfeee4ebc5b385876df7c1336b88abaddb38b70e035dfaed0882f04587f97955

  • SHA512

    7a9ceb3d26dee73c6d1e55e9b33a5518732fbcb603034113a8267b81a7bdb97ff3323b7e24ddeabe17aaffe89cb525330af65f6f98f57607f76cd5d23241da88

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou6:7WNqkOJWmo1HpM0MkTUmu6

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d63615f4c82a75b9b77ea859821828c0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3112
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4092
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4804
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3776
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3448
          • C:\Windows\SysWOW64\at.exe
            at 16:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:212
            • C:\Windows\SysWOW64\at.exe
              at 16:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4612
              • C:\Windows\SysWOW64\at.exe
                at 16:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4408
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8
          1⤵
            PID:1976

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe
            Filesize

            65KB

            MD5

            2361b9e7289e172560ab3b0e587d8a5e

            SHA1

            f15f10e3154063a896fdfc3a015f60556bfad8b3

            SHA256

            b3e1398151d2978128df8bf85b2441d3452623c6857d1a9f23723edc42875f0e

            SHA512

            ee78559594db236c413c68087bacbce3244f6091dd94e1fac5f31e9cbd4d142cbb0c40acf97ceab56fa67dd9ffcf23130c5b6daa01e41146f44d965c92dd3173

            Download Submit

          • C:\Windows\System\explorer.exe
            Filesize

            65KB

            MD5

            c004b06ec3418d04a2771af4184e4c55

            SHA1

            1c9c7a3fed004795a6cd46d48155837b10dfbbc0

            SHA256

            701df71d54899de1d1c7b374ca478e05f0c4df7455753f1df6387cb6a33b2b36

            SHA512

            5198c87418dd0436862230ec47c8dc36a3e1bbbe80f0e016f60e6a8495ad8a838a91ba71395f1e87898eef7d033133131f4c5ad461634cbba358ed545863c7c2

            Download Submit

          • C:\Windows\System\spoolsv.exe
            Filesize

            65KB

            MD5

            9d0c37f86f5ac0d288a4dfaa417bc8d6

            SHA1

            2ebb45845f2c1753336d4cb0a4ff0318182f744a

            SHA256

            771f9e9690a55aa321af621c8c926b70e1b060ee23838fc16e77862db6892a58

            SHA512

            dca33df58564437d23efc552674f5bcd1b2096d424698a75fd46088413d90286614a949beecf3175b3c482f5ed6792da9457d08b492421f1ec90af5a22260ecc

            Download Submit

          • C:\Windows\System\svchost.exe
            Filesize

            65KB

            MD5

            1c2dcfbd46da6bf77ffd84af08b078f9

            SHA1

            3190f7e8be3b2188fe37ef0a750d81d1759fa594

            SHA256

            91b9914f48fa7b7e258e6b85f6a27d1019f37a9622c531ea493ef3636c3dcde2

            SHA512

            459a5551b9f3050c967ebfc48c6c245541de1cbff23e15df1d764c679dbb849828c2b48c1fd3d323fa0e95b7751d16b3ceaf035c8d5029a6c9e0b42975083cf9

            Download Submit

          • memory/3112-2-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3112-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3112-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3112-0-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3112-55-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3112-5-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3112-3-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3112-57-0x0000000000401000-0x000000000042E000-memory.dmp

            Filesize

            180KB

            Download

          • memory/3448-44-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3448-50-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3776-61-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3776-35-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/3776-37-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3776-41-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4092-16-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4092-13-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4092-59-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4092-15-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4092-70-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4804-53-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download

          • memory/4804-26-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4804-25-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

            Download