Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 04:04
Behavioral task
behavioral1
Sample
08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe
-
Size
2.5MB
-
MD5
08f0ca296a36d78eadbdb55db08a4a60
-
SHA1
df2acd69d9a24ca2e7aa9adf6244b9d4fb4a86e7
-
SHA256
d53980dafb91f586ff96100ad0eaa128f47a7e9cfdeb35c687a5f1678e21a262
-
SHA512
a8c70a578e9bcdf69c1fab1fda96983099a9d86f97957a1134aac1cf9e3507ef267179ad5a9207f46d6d152738f6e381ed869dd98183c0d6e1a660356400a1d2
-
SSDEEP
49152:PxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxW:Pxx9NUFkQx753uWuCyyxW
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
pid Process 2956 explorer.exe 1632 spoolsv.exe 2584 svchost.exe 2632 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2956 explorer.exe 1632 spoolsv.exe 2584 svchost.exe -
resource yara_rule behavioral1/memory/2932-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x002e0000000144e9-7.dat themida behavioral1/memory/2956-12-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x000800000001470b-19.dat themida behavioral1/memory/1632-24-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0008000000014983-34.dat themida behavioral1/memory/2584-36-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2632-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2932-52-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1632-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2632-50-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2956-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2584-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2956-63-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2956-69-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2956 explorer.exe 1632 spoolsv.exe 2584 svchost.exe 2632 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2824 schtasks.exe 1100 schtasks.exe 2656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2584 svchost.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2584 svchost.exe 2584 svchost.exe 2956 explorer.exe 2584 svchost.exe 2956 explorer.exe 2584 svchost.exe 2956 explorer.exe 2584 svchost.exe 2956 explorer.exe 2584 svchost.exe 2956 explorer.exe 2584 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2956 explorer.exe 2584 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 2956 explorer.exe 2956 explorer.exe 1632 spoolsv.exe 1632 spoolsv.exe 2584 svchost.exe 2584 svchost.exe 2632 spoolsv.exe 2632 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2956 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 28 PID 2932 wrote to memory of 2956 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 28 PID 2932 wrote to memory of 2956 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 28 PID 2932 wrote to memory of 2956 2932 08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe 28 PID 2956 wrote to memory of 1632 2956 explorer.exe 29 PID 2956 wrote to memory of 1632 2956 explorer.exe 29 PID 2956 wrote to memory of 1632 2956 explorer.exe 29 PID 2956 wrote to memory of 1632 2956 explorer.exe 29 PID 1632 wrote to memory of 2584 1632 spoolsv.exe 30 PID 1632 wrote to memory of 2584 1632 spoolsv.exe 30 PID 1632 wrote to memory of 2584 1632 spoolsv.exe 30 PID 1632 wrote to memory of 2584 1632 spoolsv.exe 30 PID 2584 wrote to memory of 2632 2584 svchost.exe 31 PID 2584 wrote to memory of 2632 2584 svchost.exe 31 PID 2584 wrote to memory of 2632 2584 svchost.exe 31 PID 2584 wrote to memory of 2632 2584 svchost.exe 31 PID 2956 wrote to memory of 2828 2956 explorer.exe 32 PID 2956 wrote to memory of 2828 2956 explorer.exe 32 PID 2956 wrote to memory of 2828 2956 explorer.exe 32 PID 2956 wrote to memory of 2828 2956 explorer.exe 32 PID 2584 wrote to memory of 2656 2584 svchost.exe 33 PID 2584 wrote to memory of 2656 2584 svchost.exe 33 PID 2584 wrote to memory of 2656 2584 svchost.exe 33 PID 2584 wrote to memory of 2656 2584 svchost.exe 33 PID 2584 wrote to memory of 2824 2584 svchost.exe 38 PID 2584 wrote to memory of 2824 2584 svchost.exe 38 PID 2584 wrote to memory of 2824 2584 svchost.exe 38 PID 2584 wrote to memory of 2824 2584 svchost.exe 38 PID 2584 wrote to memory of 1100 2584 svchost.exe 40 PID 2584 wrote to memory of 1100 2584 svchost.exe 40 PID 2584 wrote to memory of 1100 2584 svchost.exe 40 PID 2584 wrote to memory of 1100 2584 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\08f0ca296a36d78eadbdb55db08a4a60_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:11 /f5⤵
- Creates scheduled task(s)
PID:2656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:12 /f5⤵
- Creates scheduled task(s)
PID:2824
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:13 /f5⤵
- Creates scheduled task(s)
PID:1100
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2828
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD55d4270b884bc46ccc5f4e0bdcbcaaa29
SHA1777ffc60ba0cf29efa8ee4c13e7cb4645dc6f660
SHA25694f34826b3c7d95d9eb1b7733982137fb087980734d839988a29f4caf6e39f28
SHA512f9dc02dafdda4b6e962f74d1369ea47ab3c345fca035342ab8aeb6c36766464868f2aa052bba73ae1f87ce861e6675e87a239181e1ed3e1499135f33d5817b51
-
Filesize
2.5MB
MD5f4a2df2da0139b9e7d6533bc4bdae8ca
SHA1704ae0cf33afa085ac80f62b112d7ff346d615ef
SHA256b5a6f9e12290cd6d15551147f206ad3ae5ac31a3b7c5550d879be5676022daa0
SHA512fd21c60a532dc01b7e5139cda1aa2c6864e99deb35f33ed0157ffa098812724bb6a03f67b3dd79f841ba554d238a33b9d9d4feebb61fa6e5d3cc1df53fee79b1
-
Filesize
2.5MB
MD5efbeba9af482bea52da165e4eb46f98d
SHA103956cbbe65f57c6b6e7a0f17441fc304b06da0d
SHA2563947d96f3e3cba8c61383408bb1e1a141c87a858ee401262ec432eb016c2be13
SHA5126d88c24f7434115197e201eb4d61cc9c8d23c7e1ccf8087fca24140acf34e9097be1921e63dc7da96dde8b7f4c96d6156ba016d6805eb635a633ad6e985912cd