Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0a4a2bdf15...cs.exe

windows7-x64

10

0a4a2bdf15...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 05:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    0a4a2bdf1520ea368dda567ce423b1f0

  • SHA1

    43e8b4b62303f634d578027941d73ddb8850af59

  • SHA256

    bc37a8257d3abbce99147ba063fcdd36a635d5a2406218f01d5eaf64485aa659

  • SHA512

    b3d2ca5860d76158761e04181aad250d5ebc067aaf3b9bb6591defd6963aa05108f3111f519895da8092dc4ef11042ea2f52ab829b5ecef83650fdb940eebb9f

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiQ:IeklMMYJhqezw/pXzH9iQ

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1620
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3044
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2536
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2404
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2400
          • C:\Windows\SysWOW64\at.exe
            at 05:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2396
            • C:\Windows\SysWOW64\at.exe
              at 05:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2940
              • C:\Windows\SysWOW64\at.exe
                at 05:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3068

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          f5f30798dd84c1bd2a553f111b4d5451

          SHA1

          536ee4221998576bb59a311f8b3f8a7a66706dcb

          SHA256

          be3347b0f8f0e54f0f9a2919cd05f4f6f1c01144f15823d7ed8e553298f7b8fe

          SHA512

          3a39985adadf9d1530c3503b01b22baa3d87a22aad7407331c6873dde09c7ac550dedd28fd57c73a8485ae8b2fde51204b7162d2ddb0dd9f8ebe3f7f2a47c334

          Download Submit

        • C:\Windows\system\spoolsv.exe
          Filesize

          66KB

          MD5

          c6c27cefa25c85a223d5220de9609f2f

          SHA1

          dcdadc87d314f37d58a5820f4b2ada41bd75a4d6

          SHA256

          eb4c9e262d341c9a36316a05c00394ae06b1c3a9dfa5be0a8fce71cf7f562c6b

          SHA512

          651edfede3db1f0492f95361dec98cd35840bbf1b2bc9978f40cdbec074c3edb4c500e4fea24e653097980d82916e4ec5a93934e3341f3975fff561b9a1f73d2

          Download Submit

        • C:\Windows\system\svchost.exe
          Filesize

          66KB

          MD5

          677fc6fe7ef9f43bef1d71572d448c5f

          SHA1

          c0196349e76a1d02d522371dce196b4c146ea18a

          SHA256

          116ec2ef589647f547b1de98ef9692e9a3c057a831afbaaeec32e95415b0a7c3

          SHA512

          30eefdd441dd950a1d49386185f78dce6a679c8419c0586cb17640d1c6b201f09062eb5a7d6abeb9d077fe372c7b3b4eef81e2790cb48f4ed10d1ce033150c7d

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          66KB

          MD5

          2fe85d8de2094a82d8a6f7d5decf1c27

          SHA1

          51e0090d69ee5d9ddc413ff91e19f473c4e5f865

          SHA256

          6e897c3b15a8bd5d0b592c3a11564c6db5649a4006746c3f5f6eb9f6ec64ea2a

          SHA512

          15748febde71ad00d6922dee706c698dce7ffe20f00cadee16b633b1fd53993518678c55fe23d3b918c6896c58bbd6b415ae068a71056fcf2104bec2abf1e7fb

          Download Submit

        • memory/1620-74-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1620-6-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1620-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1620-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1620-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1620-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1620-19-0x0000000002760000-0x0000000002791000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1620-75-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2400-63-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2400-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2404-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2404-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2404-52-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2404-79-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2536-34-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2536-40-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2536-45-0x00000000006D0000-0x0000000000701000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2536-73-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2536-35-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3044-17-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3044-77-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3044-21-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3044-88-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download