Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

08a09158b7...cs.exe

windows7-x64

10

08a09158b7...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 19:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08a09158b799ec0798be26fff576bf70_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    08a09158b799ec0798be26fff576bf70

  • SHA1

    f072dd81838804709916d3487dd24ec663978139

  • SHA256

    7de2c19c7ee99b48e19d48e04f95efc542e06fdb284a4f3f7eb51e5fabcd594e

  • SHA512

    4dacfc088bdc9409d0c0804b2f8d0d780244aa53a50dfd5596e78fc806c3c6491d7987a7df3cd8ffa7ad583c125a5d016ddda8ad75f70285ea80297f19671758

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi6:IeklMMYJhqezw/pXzH9i6

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08a09158b799ec0798be26fff576bf70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\08a09158b799ec0798be26fff576bf70_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3088
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5032
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4612
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1260
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:848
          • C:\Windows\SysWOW64\at.exe
            at 19:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:392
            • C:\Windows\SysWOW64\at.exe
              at 19:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1980
              • C:\Windows\SysWOW64\at.exe
                at 19:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4796

        Network

        • flag-us
          DNS
          249.197.17.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          249.197.17.2.in-addr.arpa
          IN PTR
          Response
          249.197.17.2.in-addr.arpa
          IN PTR
          a2-17-197-249deploystaticakamaitechnologiescom
        • flag-us
          DNS
          154.239.44.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          154.239.44.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          64.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          64.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          183.59.114.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          183.59.114.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          198.187.3.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          198.187.3.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          240.197.17.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          240.197.17.2.in-addr.arpa
          IN PTR
          Response
          240.197.17.2.in-addr.arpa
          IN PTR
          a2-17-197-240deploystaticakamaitechnologiescom
        • flag-us
          DNS
          13.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.227.111.52.in-addr.arpa
          IN PTR
          Response
        No results found
        • 8.8.8.8:53
          249.197.17.2.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          249.197.17.2.in-addr.arpa

        • 8.8.8.8:53
          154.239.44.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          154.239.44.20.in-addr.arpa

        • 8.8.8.8:53
          64.159.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          64.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          149.220.183.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          149.220.183.52.in-addr.arpa

        • 8.8.8.8:53
          183.59.114.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          183.59.114.20.in-addr.arpa

        • 8.8.8.8:53
          198.187.3.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          198.187.3.20.in-addr.arpa

        • 8.8.8.8:53
          240.197.17.2.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          240.197.17.2.in-addr.arpa

        • 8.8.8.8:53
          13.227.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          13.227.111.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          f3245d5c81a5bdb0c0ee75accbc6a61a

          SHA1

          5443a622ba1a03e29d12911781877265acacae48

          SHA256

          07578769ffb18c144ca5166b669e79cc9f3865897c78c871cc3ce8a945e47411

          SHA512

          0f57cb59b31de2bdd2d82cd076213503381640cff649e54ae6a8d2a29ae24e8c25a6bc1196e7da2debb53469986ad4bbc827183a7fd866792e5e4769f11a0337

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          b29c83d468ce180ac7369a45337d3a76

          SHA1

          8244e527ef7076fe6056a5869265a03f0a42d5fe

          SHA256

          446d75643fac89ad2b2c15d2fc4cbfd8f8a47295f17629489b47b4b2117a4d9f

          SHA512

          36a02eadfa8e1edd9c2e9b73a73578e89c614888d8d62e950efd782047f1a2b03dfafb2f168a53ed0ee10046e8b9da032e5127ed99de3cf84bbe0018cf9f619e

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          8f7510a28201abea38bb870a1baecfae

          SHA1

          5265eaf87d78c525d292d4575de21cb49ef300b6

          SHA256

          eb16382919dcbdb7f4b8d7bd8e31db8d429c3c443668e86d84ef6d674d2e8e14

          SHA512

          0d01907ee5bcc9826d6a26681a02b90d593ab888086d1a35ac3d764e8431c0ae73b557bdae8cc65ff18e9d7a656d2179b599c2df051156f9b17fafaf55d2d40c

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          490c84b3cbed1d70d20f60763ee30370

          SHA1

          d77cb52b1a7b57b6a25dbc06e8a4c451e93a8278

          SHA256

          d68b0fde1bf631e59300fc46ef67b2d5d7ac4475e0e9d446eed600abdb3c94c5

          SHA512

          698243db535faeeaba2ec472b3053c1454a43b964471352a28f862eca498e3cba76b1434db1395c6d8642377139b8e3617c784cf14810a1c4aefae2372534a8a

          Download Submit

        • memory/848-49-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/848-43-0x00000000757F0000-0x000000007594D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1260-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1260-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1260-36-0x00000000757F0000-0x000000007594D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3088-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3088-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3088-57-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3088-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3088-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3088-2-0x00000000757F0000-0x000000007594D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3088-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4612-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4612-26-0x00000000757F0000-0x000000007594D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4612-25-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5032-13-0x00000000757F0000-0x000000007594D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5032-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5032-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5032-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5032-15-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.