Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

59e05d8c23...cs.exe

windows7-x64

10

59e05d8c23...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2024, 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59e05d8c234b2d0f1da1867d33b5c760_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    59e05d8c234b2d0f1da1867d33b5c760

  • SHA1

    4d491ea435b2d5cdfebfaa3473017adb6b35f725

  • SHA256

    660f40e3d538ea675e4114bd7290e1a184f4c91c53b732d8c375a6142a8a105b

  • SHA512

    31a58fcdb1fd65b67bab71935b0d8e18d42d2154cdd67323e1613c7a61c5643ecf37964de0ad731ea50846b5e16eb4ce279846ec30329c3fa2fdc788ebe32e30

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuE:7WNqkOJWmo1HpM0MkTUmuE

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59e05d8c234b2d0f1da1867d33b5c760_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\59e05d8c234b2d0f1da1867d33b5c760_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3464
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2380
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4240
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3972
          • C:\Windows\SysWOW64\at.exe
            at 12:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2904
            • C:\Windows\SysWOW64\at.exe
              at 12:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1952
              • C:\Windows\SysWOW64\at.exe
                at 12:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4628

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          45ffa6e2b5074e31a035512eb770a0a9

          SHA1

          cd6a79d34fc3f94f5c8de19a3e71d366d33906af

          SHA256

          d2913c94bf87280c7e9e4cb60c141ff3d38088d98ee077cae0d609d3c9740247

          SHA512

          892cbc772ca143b674422f696e4f43c895d8a95bab8152cee8e8753736bf93bb4db4a4b20bc63529178aeaf81a2e3873e035634942f1a0990e9f9452a600b4d9

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          65KB

          MD5

          fbd2061e560b7244c44bd8f5c4502130

          SHA1

          6304b6c0e6a6445d249d9aeacb5f0107549d4e13

          SHA256

          85e7f3edbe2e33b2d410da4fb8c5d26b57db32f8fda3ea651b4e5304922e9e65

          SHA512

          07df35d5c9f66a169f168d9e211bce30f3b0544a73b1559c6ca649797ad3f9f45b1214d3717a851ad4fa2583041c885d908c482766fd5ab38bd80baf52060260

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          2ffdebd81b6ccbb9f884ff462b5c43ea

          SHA1

          6b990cf03a58b45c293d07dc37d6ab5a07960dd2

          SHA256

          40b58aab234b7cf7d9c563acea04b6902db55c11ae0cca0166b6f50387232466

          SHA512

          0b29da4a42c7a8653cb7e26a3d2c6a75e8e9321a74e42b3f3b51d07a7e2ec81488b771b362f278255ccb6fce2c7e7df1292468454bc735abe235f92ca34f8f6e

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          65KB

          MD5

          31c4fadfb1d93441ac47f8a309257547

          SHA1

          255a658cc1a61e354bb2ca5b978fd1b31e3b0377

          SHA256

          c6e8e65e7e0d678d1c0b70c7a00d5c13bc10e24717f57dbcc550e779ae43206a

          SHA512

          55b5c89cdfc59a4baa598cd5989e75a57593930d34d8aedd2014c6e0a3ff2868678f1a10c200a6300b7bb5097270b7bb1e483e9fa1ab4a1bb6efbcbad38eb9a4

          Download Submit

        • memory/2100-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2100-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2100-44-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2100-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2100-57-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2100-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2100-2-0x0000000075320000-0x000000007547D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2100-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2380-26-0x0000000075320000-0x000000007547D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2380-30-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2380-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3464-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3464-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3464-14-0x0000000075320000-0x000000007547D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-17-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3464-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3464-61-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3464-72-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3972-45-0x0000000075320000-0x000000007547D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3972-51-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4240-38-0x0000000075320000-0x000000007547D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4240-37-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4240-63-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download