Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/06/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe
-
Size
199KB
-
MD5
8e99fa4c549c5b7a39f45ebccffaaf40
-
SHA1
fe87036f5f877c7ea4c66bb17b370c3e90d1f668
-
SHA256
77b3ea43e47635f9de0b05eb4c9dabe435b14a6a996675ec83b00c2234016481
-
SHA512
111dff1969c02842613aa30927f88619856cfe644f1b54c92ba0bac392cbc3877c486545e3a46eac4a8264819fa5b77377138074efbde7d168322559357fd49f
-
SSDEEP
3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u4Pmu7:7vEN2U+T6i5LirrllHy4HUcMQY6B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2692 explorer.exe 2584 spoolsv.exe 2620 svchost.exe 2548 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2256 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 2256 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 2692 explorer.exe 2692 explorer.exe 2584 spoolsv.exe 2584 spoolsv.exe 2620 svchost.exe 2620 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 2692 explorer.exe 2692 explorer.exe 2692 explorer.exe 2692 explorer.exe 2692 explorer.exe 2620 svchost.exe 2620 svchost.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2620 svchost.exe 2692 explorer.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2692 explorer.exe 2620 svchost.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2692 explorer.exe 2620 svchost.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2692 explorer.exe 2620 svchost.exe 2620 svchost.exe 2692 explorer.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2620 svchost.exe 2692 explorer.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe 2692 explorer.exe 2620 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2692 explorer.exe 2620 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2256 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 2256 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 2692 explorer.exe 2692 explorer.exe 2584 spoolsv.exe 2584 spoolsv.exe 2620 svchost.exe 2620 svchost.exe 2548 spoolsv.exe 2548 spoolsv.exe 2692 explorer.exe 2692 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2692 2256 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 28 PID 2256 wrote to memory of 2692 2256 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 28 PID 2256 wrote to memory of 2692 2256 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 28 PID 2256 wrote to memory of 2692 2256 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 28 PID 2692 wrote to memory of 2584 2692 explorer.exe 29 PID 2692 wrote to memory of 2584 2692 explorer.exe 29 PID 2692 wrote to memory of 2584 2692 explorer.exe 29 PID 2692 wrote to memory of 2584 2692 explorer.exe 29 PID 2584 wrote to memory of 2620 2584 spoolsv.exe 30 PID 2584 wrote to memory of 2620 2584 spoolsv.exe 30 PID 2584 wrote to memory of 2620 2584 spoolsv.exe 30 PID 2584 wrote to memory of 2620 2584 spoolsv.exe 30 PID 2620 wrote to memory of 2548 2620 svchost.exe 31 PID 2620 wrote to memory of 2548 2620 svchost.exe 31 PID 2620 wrote to memory of 2548 2620 svchost.exe 31 PID 2620 wrote to memory of 2548 2620 svchost.exe 31 PID 2620 wrote to memory of 1712 2620 svchost.exe 32 PID 2620 wrote to memory of 1712 2620 svchost.exe 32 PID 2620 wrote to memory of 1712 2620 svchost.exe 32 PID 2620 wrote to memory of 1712 2620 svchost.exe 32 PID 2620 wrote to memory of 1916 2620 svchost.exe 36 PID 2620 wrote to memory of 1916 2620 svchost.exe 36 PID 2620 wrote to memory of 1916 2620 svchost.exe 36 PID 2620 wrote to memory of 1916 2620 svchost.exe 36 PID 2620 wrote to memory of 1972 2620 svchost.exe 38 PID 2620 wrote to memory of 1972 2620 svchost.exe 38 PID 2620 wrote to memory of 1972 2620 svchost.exe 38 PID 2620 wrote to memory of 1972 2620 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Windows\SysWOW64\at.exeat 05:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1712
-
-
C:\Windows\SysWOW64\at.exeat 05:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1916
-
-
C:\Windows\SysWOW64\at.exeat 05:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1972
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5c27ce5db4ec30bce3a0178bcdc5b749e
SHA1704185eb3df496058da9f1b65bd02703193dabbb
SHA256ad806ea0e395bd62d8031cbf826fa0c469324dae96c7a7855b76c18bcea4fd42
SHA512e960f779dc23789c7f35db0355bac2b1e0a3ca454d524cf83ec0aa07d5fe848a705714bcd2cdb21e2cf7a8ac430dadfeea3a161e2d6a46ca7a4628699339addd
-
Filesize
216KB
MD5a96d73cbc2d439da452660e7cfa0d8a0
SHA140261df9d22113a68fed3107abc09c01406fc28b
SHA256acf759cd9921900c1dd5cfd5689b2bf89d07ce8c677492372db926de7c1c8299
SHA512d9a485136acfd51025069e7e9044ee06eafe65e808d2a558d7d1c861c6dd8f6b4a929c2737759a25b1962e25f2512c3d2ff851dca3da7c7c32afd4bb98486153
-
Filesize
216KB
MD5bb4cabf95a99e00afa467ecec407fbac
SHA1bfdba96411987c0d9741746c561b099046c97001
SHA25634e3a1dd4731b6cf5de69f67079e7acb25a9d9b166499659be6632722ffd683c
SHA512a390a6b4ce76a74840f2aa46e305c30a5427c2cf6b0654f8f8d8fdec9244564c28adb04277409f883da9635a26c12e2e7dc62eae79a80dc69e32ab3e6134e2f1
-
Filesize
216KB
MD53e2e6b76ba9f98806e1ec4aeab2832d1
SHA1ce117648a74063a2693e27d042642d74f8901e52
SHA256dda4bbe517022e6357cb622e6464dee821803722f035984731eddd044e93cd91
SHA5125772d37dea19873baf3468a653db2a0508166e384ece94223682f2bf3f6ff4709e4e9b81f1eceeeec6cffc717423622ad8260542fef3f191a2dd4751971ef87c