Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 05:08

General

  • Target

    8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe

  • Size

    199KB

  • MD5

    8e99fa4c549c5b7a39f45ebccffaaf40

  • SHA1

    fe87036f5f877c7ea4c66bb17b370c3e90d1f668

  • SHA256

    77b3ea43e47635f9de0b05eb4c9dabe435b14a6a996675ec83b00c2234016481

  • SHA512

    111dff1969c02842613aa30927f88619856cfe644f1b54c92ba0bac392cbc3877c486545e3a46eac4a8264819fa5b77377138074efbde7d168322559357fd49f

  • SSDEEP

    3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u4Pmu7:7vEN2U+T6i5LirrllHy4HUcMQY6B

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4504
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3272
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2876
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1288
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1948
          • C:\Windows\SysWOW64\at.exe
            at 05:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4080
            • C:\Windows\SysWOW64\at.exe
              at 05:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3244
              • C:\Windows\SysWOW64\at.exe
                at 05:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3040
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3748

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe

            Filesize

            216KB

            MD5

            5166957afeb45833c193fed87f284272

            SHA1

            d4ae5148404d256a171be67c411241eca617218f

            SHA256

            c3ac209dbd92548a1873f4110be69eb7473e1306a2117061d2cd199b01616cdd

            SHA512

            dd506cf55ec185d04df275cc69da35fba916e05496d3ac55bfd3ec5224706e794c3616db1f0f9714c5e082e18d1cdde1ccef2222507ebdb75e182907af6321d5

          • C:\Windows\System\explorer.exe

            Filesize

            216KB

            MD5

            bc68fe461eadf9b9ea91381a7a38e427

            SHA1

            ea16d77e8827865ec88cfa3c6bf2aaf27afb1374

            SHA256

            0b8e794a1a54bb2cb8bbb516793b8bb8d01a81182815beddc692b702a0679d34

            SHA512

            55c83f89d0343797a91eae2b2485d00a0950eca5735cd4ed216c2b1cb6c8b036e409ce8c5dc4cbf7eae0651f7ddcae0773a7abec61f7c308fb9531cb968b0b52

          • C:\Windows\System\spoolsv.exe

            Filesize

            216KB

            MD5

            0bce3c619a70e4070f84530c182be413

            SHA1

            24d1bd41688086381fed98a7af16f91e7583372c

            SHA256

            5c93b7316602afec444721339e1c9cbe8845df1e0e15df1a5af040744329ca25

            SHA512

            cc5e7bb94fa142585fc73a03fa5e3fe2f91107f9f79bb137078cad7b83fa354e136789ae9412b906cf0a7a04e2e426df14c6d03126bf9260af40603b5dffb68f

          • C:\Windows\System\svchost.exe

            Filesize

            216KB

            MD5

            727c686e72cee2804ca628334d977089

            SHA1

            055d6873f28e3ff5b040c14d46b19a971cf17fea

            SHA256

            c1475fa84439206c955c699e1e23e5373639132f2002d7929eccfe8ee003f29c

            SHA512

            c9fa66a363fe6f1e9b017db9e4d19f76a61e8e7735e8473fcb6958a815e2bf3c0dd13bccead275d2bdfdd21df504c5738dba97b1a1bed187938396588fe48490

          • memory/1288-25-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

          • memory/1948-33-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

          • memory/2876-36-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

          • memory/4504-0-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB

          • memory/4504-37-0x0000000000400000-0x0000000000431000-memory.dmp

            Filesize

            196KB