Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe
-
Size
199KB
-
MD5
8e99fa4c549c5b7a39f45ebccffaaf40
-
SHA1
fe87036f5f877c7ea4c66bb17b370c3e90d1f668
-
SHA256
77b3ea43e47635f9de0b05eb4c9dabe435b14a6a996675ec83b00c2234016481
-
SHA512
111dff1969c02842613aa30927f88619856cfe644f1b54c92ba0bac392cbc3877c486545e3a46eac4a8264819fa5b77377138074efbde7d168322559357fd49f
-
SSDEEP
3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u4Pmu7:7vEN2U+T6i5LirrllHy4HUcMQY6B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 3272 explorer.exe 2876 spoolsv.exe 1288 svchost.exe 1948 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4504 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 4504 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe 1288 svchost.exe 1288 svchost.exe 3272 explorer.exe 3272 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3272 explorer.exe 1288 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4504 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 4504 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 3272 explorer.exe 3272 explorer.exe 2876 spoolsv.exe 2876 spoolsv.exe 1288 svchost.exe 1288 svchost.exe 1948 spoolsv.exe 1948 spoolsv.exe 3272 explorer.exe 3272 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4504 wrote to memory of 3272 4504 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 91 PID 4504 wrote to memory of 3272 4504 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 91 PID 4504 wrote to memory of 3272 4504 8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe 91 PID 3272 wrote to memory of 2876 3272 explorer.exe 92 PID 3272 wrote to memory of 2876 3272 explorer.exe 92 PID 3272 wrote to memory of 2876 3272 explorer.exe 92 PID 2876 wrote to memory of 1288 2876 spoolsv.exe 93 PID 2876 wrote to memory of 1288 2876 spoolsv.exe 93 PID 2876 wrote to memory of 1288 2876 spoolsv.exe 93 PID 1288 wrote to memory of 1948 1288 svchost.exe 94 PID 1288 wrote to memory of 1948 1288 svchost.exe 94 PID 1288 wrote to memory of 1948 1288 svchost.exe 94 PID 1288 wrote to memory of 4080 1288 svchost.exe 95 PID 1288 wrote to memory of 4080 1288 svchost.exe 95 PID 1288 wrote to memory of 4080 1288 svchost.exe 95 PID 1288 wrote to memory of 3244 1288 svchost.exe 106 PID 1288 wrote to memory of 3244 1288 svchost.exe 106 PID 1288 wrote to memory of 3244 1288 svchost.exe 106 PID 1288 wrote to memory of 3040 1288 svchost.exe 108 PID 1288 wrote to memory of 3040 1288 svchost.exe 108 PID 1288 wrote to memory of 3040 1288 svchost.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8e99fa4c549c5b7a39f45ebccffaaf40_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1948
-
-
C:\Windows\SysWOW64\at.exeat 05:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4080
-
-
C:\Windows\SysWOW64\at.exeat 05:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3244
-
-
C:\Windows\SysWOW64\at.exeat 05:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3040
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:3748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD55166957afeb45833c193fed87f284272
SHA1d4ae5148404d256a171be67c411241eca617218f
SHA256c3ac209dbd92548a1873f4110be69eb7473e1306a2117061d2cd199b01616cdd
SHA512dd506cf55ec185d04df275cc69da35fba916e05496d3ac55bfd3ec5224706e794c3616db1f0f9714c5e082e18d1cdde1ccef2222507ebdb75e182907af6321d5
-
Filesize
216KB
MD5bc68fe461eadf9b9ea91381a7a38e427
SHA1ea16d77e8827865ec88cfa3c6bf2aaf27afb1374
SHA2560b8e794a1a54bb2cb8bbb516793b8bb8d01a81182815beddc692b702a0679d34
SHA51255c83f89d0343797a91eae2b2485d00a0950eca5735cd4ed216c2b1cb6c8b036e409ce8c5dc4cbf7eae0651f7ddcae0773a7abec61f7c308fb9531cb968b0b52
-
Filesize
216KB
MD50bce3c619a70e4070f84530c182be413
SHA124d1bd41688086381fed98a7af16f91e7583372c
SHA2565c93b7316602afec444721339e1c9cbe8845df1e0e15df1a5af040744329ca25
SHA512cc5e7bb94fa142585fc73a03fa5e3fe2f91107f9f79bb137078cad7b83fa354e136789ae9412b906cf0a7a04e2e426df14c6d03126bf9260af40603b5dffb68f
-
Filesize
216KB
MD5727c686e72cee2804ca628334d977089
SHA1055d6873f28e3ff5b040c14d46b19a971cf17fea
SHA256c1475fa84439206c955c699e1e23e5373639132f2002d7929eccfe8ee003f29c
SHA512c9fa66a363fe6f1e9b017db9e4d19f76a61e8e7735e8473fcb6958a815e2bf3c0dd13bccead275d2bdfdd21df504c5738dba97b1a1bed187938396588fe48490