Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

46671b8c28...cs.exe

windows7-x64

10

46671b8c28...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2024, 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe

  • Size

    224KB

  • MD5

    46671b8c2835cfcd4eb2bf83f3f7d4a0

  • SHA1

    8d8364460bcff84e32a9ead55be251b65b628ad2

  • SHA256

    f15148c30cf48abc24bdd03f6724b8ffc88b30463277367fdb9b85b4a3203c62

  • SHA512

    7a4d9b18a6b506f8b75999a43fd429fb6560de8fd240293c38bb9b084c1088868888b91d6188e1cbbc96638c6818f3a262dfc2bb1a929482cf6b16bf79b10199

  • SSDEEP

    3072:PvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uoyVPHSw3u/:PvEN2U+T6i5LirrllHy4HUcMQY6YVP38

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2920
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1644
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5076
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1372
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1724
          • C:\Windows\SysWOW64\at.exe
            at 08:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4228
            • C:\Windows\SysWOW64\at.exe
              at 08:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4048
              • C:\Windows\SysWOW64\at.exe
                at 08:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1056

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          224KB

          MD5

          3f5038f05d61dd2acf144cd7ee7c62c1

          SHA1

          60db04b7716afd259cca1377ee621d2a7c60681d

          SHA256

          ef7be5ce6027b50e575ff676bb085d2717bcf006e81595668d6a9275e7632cce

          SHA512

          450f55fd0d9f00b81a78c0e80087524645bff7a51256d8928fd6eb172853b8765be83208b2c4cafdc793eda1da45438afcd297a1c04c3dec9b0058ac1f622fcb

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          224KB

          MD5

          c819fb94a49abc9f8dce3334cd8696c1

          SHA1

          b10918de7871b022e5c0e6184f8b8afc1d1cbcb8

          SHA256

          2aec15d5873a5fc46b659a970b6fcbd0856d472c75922c519b2f1561aee621e3

          SHA512

          af3e360f3d2084a95647b69653cd97e6b11dbb6f16488864dcbb4023f94022b0854ca576a590e68725ceebe079b5906a1afd93141e08784880c5c9f4bfc8ffbe

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          224KB

          MD5

          39335f4cae0d8c5a3263d94683378284

          SHA1

          122e7d68dde5019ad7c5a368ffe1369f98592f64

          SHA256

          200bae15f39ae3181fc309ec084be6bff8f9f6a569410021db7b89cc22d08a88

          SHA512

          16398803c44d8debb0d0988bc7abd521905c6a9b6dd6513e7e7d015d2e4c05400430893168c1d91c2b5b277af12635ebefab7daf517fb6b9b2cb4eba26b06112

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          224KB

          MD5

          51c4b122be8a9de151ef819cb610fef2

          SHA1

          509e66de228ec43cb2e9e7f4d61e868d6f51afe9

          SHA256

          5f41f4e1ba801e6e55b6d96c883e75f30f97544a6878f4e622b6559c31141a0e

          SHA512

          1427fbeb9caaf0237ae8a0fbda1349ebbc4bea9734de429384fee3b00f6718772535bd6b7858d2cc490d322b4af77bd5862a258514dd1c7b1efd0da5517d32ad

          Download Submit

        • memory/1644-8-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/1724-33-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2920-0-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2920-37-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/5076-36-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download