Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

47b9b3fa9a...cs.exe

windows7-x64

8

47b9b3fa9a...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47b9b3fa9ac2cb08f234382917930540_NeikiAnalytics.exe

  • Size

    226KB

  • MD5

    47b9b3fa9ac2cb08f234382917930540

  • SHA1

    10c93b6f06201fbb8d030b3f67cae1e59582d877

  • SHA256

    d5d8a5c2e21754b89fc4d2cf2302ed803b191fc23f3778508ae6d7232a452ae5

  • SHA512

    9b5f754d79926f029ed7f17c8e2f1c41e8068d52e82e8f02e8842ed00a10c0412e1936afdd5cbed14eff868b62a242961d5294ab9dd6e5660709ff919a411d12

  • SSDEEP

    3072:GKcZcOUmoz93z8aKDe8hNau7XcgSZdfUq:GKuKD1ue8hNauXbF

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47b9b3fa9ac2cb08f234382917930540_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\47b9b3fa9ac2cb08f234382917930540_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\{15A57011-BC13-4efb-B0AB-BEC1C6ED60AB}.exe
      C:\Windows\{15A57011-BC13-4efb-B0AB-BEC1C6ED60AB}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\{C5326210-BD2A-47a3-961B-9DCA2B3621B9}.exe
        C:\Windows\{C5326210-BD2A-47a3-961B-9DCA2B3621B9}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\{FBA9309E-A89E-490a-AF08-397F91CD4D1C}.exe
          C:\Windows\{FBA9309E-A89E-490a-AF08-397F91CD4D1C}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\{EBC02437-F37F-4a60-A674-56A00BC62296}.exe
            C:\Windows\{EBC02437-F37F-4a60-A674-56A00BC62296}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2872
            • C:\Windows\{1C0C0CF4-C17D-4396-8E2D-5483C63DBC37}.exe
              C:\Windows\{1C0C0CF4-C17D-4396-8E2D-5483C63DBC37}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\Windows\{C82B0390-5E67-4b58-9A18-9356C387F8F3}.exe
                C:\Windows\{C82B0390-5E67-4b58-9A18-9356C387F8F3}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1968
                • C:\Windows\{674F43C3-D32B-4e44-A4F1-156BA2E388B6}.exe
                  C:\Windows\{674F43C3-D32B-4e44-A4F1-156BA2E388B6}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2012
                  • C:\Windows\{764D56A4-73FA-4b08-8828-F562AA86462B}.exe
                    C:\Windows\{764D56A4-73FA-4b08-8828-F562AA86462B}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2540
                    • C:\Windows\{2079DE55-BB76-4e4d-99CC-E6E21967AFDD}.exe
                      C:\Windows\{2079DE55-BB76-4e4d-99CC-E6E21967AFDD}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1932
                      • C:\Windows\{BB06B29F-6A46-4bfa-8B28-A6A7A998BCE2}.exe
                        C:\Windows\{BB06B29F-6A46-4bfa-8B28-A6A7A998BCE2}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1500
                        • C:\Windows\{AB5B6FF2-CEE2-4990-8DC9-C11BC4553B4A}.exe
                          C:\Windows\{AB5B6FF2-CEE2-4990-8DC9-C11BC4553B4A}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:2136
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BB06B~1.EXE > nul
                          12⤵
                            PID:448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2079D~1.EXE > nul
                          11⤵
                            PID:532
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{764D5~1.EXE > nul
                          10⤵
                            PID:336
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{674F4~1.EXE > nul
                          9⤵
                            PID:2296
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C82B0~1.EXE > nul
                          8⤵
                            PID:1632
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1C0C0~1.EXE > nul
                          7⤵
                            PID:1776
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{EBC02~1.EXE > nul
                          6⤵
                            PID:1676
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{FBA93~1.EXE > nul
                          5⤵
                            PID:2896
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C5326~1.EXE > nul
                          4⤵
                            PID:2448
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{15A57~1.EXE > nul
                          3⤵
                            PID:2928
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\47B9B3~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1248

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{15A57011-BC13-4efb-B0AB-BEC1C6ED60AB}.exe
                        Filesize

                        226KB

                        MD5

                        3cc78497e9b4499b4c1ed2f3c3fffca9

                        SHA1

                        ba221a9cfb5f08c263b2869e8b51c8245eda47a9

                        SHA256

                        39ae04be78785f39ec36eb6167bbae7d152be555bf71a1dbeeb4e98ac1356262

                        SHA512

                        b28360cd9f292d1c4b74191501079a6b5ac7b4efe3670317be91c7cf44b4160c453f48e14f8bfd96207e188201b6b06d6e2603692b7622b7caedb9cebb822716

                        Download Submit

                      • C:\Windows\{1C0C0CF4-C17D-4396-8E2D-5483C63DBC37}.exe
                        Filesize

                        226KB

                        MD5

                        5771e0bee019c735dec38889a0b96496

                        SHA1

                        cbaf1ef030642828d52fe7dda33c4ede1a924332

                        SHA256

                        cbb6f02d2d28e022ac1e2189ffd5197464bf5b15b5717be8524ea5a6cfb7448f

                        SHA512

                        b3c6d67c43da3cb56d6f706d320975d36bdbf84d52db98d62ade0512a2ed66c1513b606ac0afcac4e6c5215db14ab1991bdf0771e0759c376a0ffdf0d473cf9e

                        Download Submit

                      • C:\Windows\{2079DE55-BB76-4e4d-99CC-E6E21967AFDD}.exe
                        Filesize

                        226KB

                        MD5

                        2810e3d34e6fedbf7179505d81469a9b

                        SHA1

                        bb0729828d6819095b50617c59df8091122c70b9

                        SHA256

                        eceb367a2a245da487aa10c4a6b9881e2944f89709eb61fd906f53e8d771e497

                        SHA512

                        cf20d7080002a97c17346ebcda4df361493e479b4d45af2df98694c785b7b2aa858b69421a73ebd07639db377f3a965166aa8b2278f317baf615b9787e995809

                        Download Submit

                      • C:\Windows\{674F43C3-D32B-4e44-A4F1-156BA2E388B6}.exe
                        Filesize

                        226KB

                        MD5

                        35039b1c361265ee34edcc8a072affc7

                        SHA1

                        8965d04060df65e0cd578098edb5d5d384101b7c

                        SHA256

                        bc2645487def19ebaba5f9aa80b5aa1ebd6e44d26aaa1d738b14dfd021ab2d86

                        SHA512

                        0ca1b3146ace58574d1383055cbc236135c6a7751f54847a36404bedb9bb0a97814849af2592d790dd9f8048da794fcde19ffc1adbdf34ec7b899706a400e4c6

                        Download Submit

                      • C:\Windows\{764D56A4-73FA-4b08-8828-F562AA86462B}.exe
                        Filesize

                        226KB

                        MD5

                        bf1a3683eac08a6120dae70f97c90ad1

                        SHA1

                        2ab02e1b2910c764f6928314edc061741e6df71e

                        SHA256

                        f7cf5c5b3891da4693c534fc8ff95b680ce5b73fe03ea2ef34e2481ff3f12393

                        SHA512

                        f3f266c35f279c7120266fc4835a981b03ad7fd6646421106c168d1f5240c937ac7cfde82536946c764432f2f0f5708c36e37f9ab557f69ca48ca53cf7b87a2e

                        Download Submit

                      • C:\Windows\{AB5B6FF2-CEE2-4990-8DC9-C11BC4553B4A}.exe
                        Filesize

                        226KB

                        MD5

                        26d5dbac40630caaeab0197429cdded1

                        SHA1

                        40decd1d3050c4a8e21723a0cb3d25de67d5a2ac

                        SHA256

                        d00f9b0b495b070687105ac986573c3fa08d932d2564d4a5ba9aefc6fed3a6ff

                        SHA512

                        c1d1ee48b9b5b0e91843d80e51406d1bb127a86b03da8f930457fb3043c07eaf0bd5bdf2fc8c58a3c838af6ca446677ae7d9b3396b2ee351da491fd349106233

                        Download Submit

                      • C:\Windows\{BB06B29F-6A46-4bfa-8B28-A6A7A998BCE2}.exe
                        Filesize

                        226KB

                        MD5

                        efb9841fae7d3ac55131385bbb329965

                        SHA1

                        2a80b29b3097486ec746657ec7289e39840cc756

                        SHA256

                        9e0b2479048b54f0f91942d48d8812fe1c05f9ee9ad2815316ec360776eb7119

                        SHA512

                        b83ffe6ae81b13636fc62ebeb3e4c93df8017039f506649d4d1e6461fe17d95b75f0ad2063a4e54ee4cd6e0c029659584019111fec5286eb816cc1f1e7442d1a

                        Download Submit

                      • C:\Windows\{C5326210-BD2A-47a3-961B-9DCA2B3621B9}.exe
                        Filesize

                        226KB

                        MD5

                        55a9143869ab3110af7ae727eb3430bd

                        SHA1

                        2f3622a70eba503885733b4a44d1688629e36057

                        SHA256

                        222b9acdb3b382693fb89b9b8dbe8deb9788506a8ef2d9b35fd2b031711d5a98

                        SHA512

                        6baf1651b3577fcc5fc2c2bbd4d0c8eb93da0da4da5da3244f3d572f98140f41043ef3f037d5157026c184115544b7264f139646e4d540a9c643814d983b7c9f

                        Download Submit

                      • C:\Windows\{C82B0390-5E67-4b58-9A18-9356C387F8F3}.exe
                        Filesize

                        226KB

                        MD5

                        28b2ef4bade115753819f81457d12102

                        SHA1

                        dca6efd7c677d285b898ca70a851d5a45982cb68

                        SHA256

                        6769beae2ff466978e62c5abe89f141704130294d5c86cb3957bbad1924bd6d3

                        SHA512

                        b8a02fe22c3c89d92622e3218d8652ee54be229d49493ce28f4f8a6151721688d51819641794b8f32b68525d98a69f399fd0466b6e7824798146900bf742bcbb

                        Download Submit

                      • C:\Windows\{EBC02437-F37F-4a60-A674-56A00BC62296}.exe
                        Filesize

                        226KB

                        MD5

                        da50e0bf5090ea568ee3b65a6fe8b62f

                        SHA1

                        53265c4b37e4a7fa14376b0c6b16e698331b5216

                        SHA256

                        979fe9adccda2dcff849547c769404512e83ba8f107431608b28de97af9ce7ec

                        SHA512

                        8f9bd5819f111539a5b69dc5819abdaa9b4012d36a143cc73ce17eb0c94b89ef8b7997752b356d72975ef65d183d110be2a2880f045a1515a47d6520a35b77a2

                        Download Submit

                      • C:\Windows\{FBA9309E-A89E-490a-AF08-397F91CD4D1C}.exe
                        Filesize

                        226KB

                        MD5

                        6eb3a68733ee858c4dae3868ba8b2959

                        SHA1

                        087812072585fc114d02ff5edfae94a29ac11b5a

                        SHA256

                        5097aed3dbf82b7bba37c0ca98f7406410c935954ff808c1c8da346b8ffce143

                        SHA512

                        bacd9951ce109ee263e2cb5fd9cb1b83771ff17010b42a89ea3f4cd1501fe34b1e62862fe5d82a1cca7e27b1c1bf27166b2bff82c05f503b93c4b34804b407d8

                        Download Submit

                      • memory/1460-0-0x00000000002B0000-0x00000000002C0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1460-10-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/1460-11-0x00000000002B0000-0x00000000002C0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1460-12-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1460-2-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/1460-1-0x0000000000400000-0x0000000000410000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/1500-106-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/1932-89-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/1932-97-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/1968-62-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/1968-70-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2012-79-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2452-34-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2452-24-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2452-23-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2540-88-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2736-43-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2792-22-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2792-9-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2812-61-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2812-53-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download

                      • memory/2872-51-0x0000000000400000-0x0000000000440000-memory.dmp

                        Filesize

                        256KB

                        Download