Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 05:20
Static task
static1
Behavioral task
behavioral1
Sample
0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
0a4a2bdf1520ea368dda567ce423b1f0
-
SHA1
43e8b4b62303f634d578027941d73ddb8850af59
-
SHA256
bc37a8257d3abbce99147ba063fcdd36a635d5a2406218f01d5eaf64485aa659
-
SHA512
b3d2ca5860d76158761e04181aad250d5ebc067aaf3b9bb6591defd6963aa05108f3111f519895da8092dc4ef11042ea2f52ab829b5ecef83650fdb940eebb9f
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiQ:IeklMMYJhqezw/pXzH9iQ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1776 explorer.exe 3648 spoolsv.exe 1204 svchost.exe 2684 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1248 0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe 1248 0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1776 explorer.exe 1204 svchost.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe 1776 explorer.exe 1776 explorer.exe 1204 svchost.exe 1204 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1776 explorer.exe 1204 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1248 0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe 1248 0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe 1776 explorer.exe 1776 explorer.exe 3648 spoolsv.exe 3648 spoolsv.exe 1204 svchost.exe 1204 svchost.exe 2684 spoolsv.exe 2684 spoolsv.exe 1776 explorer.exe 1776 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1248 wrote to memory of 1776 1248 0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe 80 PID 1248 wrote to memory of 1776 1248 0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe 80 PID 1248 wrote to memory of 1776 1248 0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe 80 PID 1776 wrote to memory of 3648 1776 explorer.exe 81 PID 1776 wrote to memory of 3648 1776 explorer.exe 81 PID 1776 wrote to memory of 3648 1776 explorer.exe 81 PID 3648 wrote to memory of 1204 3648 spoolsv.exe 82 PID 3648 wrote to memory of 1204 3648 spoolsv.exe 82 PID 3648 wrote to memory of 1204 3648 spoolsv.exe 82 PID 1204 wrote to memory of 2684 1204 svchost.exe 83 PID 1204 wrote to memory of 2684 1204 svchost.exe 83 PID 1204 wrote to memory of 2684 1204 svchost.exe 83 PID 1204 wrote to memory of 1388 1204 svchost.exe 84 PID 1204 wrote to memory of 1388 1204 svchost.exe 84 PID 1204 wrote to memory of 1388 1204 svchost.exe 84 PID 1204 wrote to memory of 1344 1204 svchost.exe 94 PID 1204 wrote to memory of 1344 1204 svchost.exe 94 PID 1204 wrote to memory of 1344 1204 svchost.exe 94 PID 1204 wrote to memory of 3816 1204 svchost.exe 96 PID 1204 wrote to memory of 3816 1204 svchost.exe 96 PID 1204 wrote to memory of 3816 1204 svchost.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0a4a2bdf1520ea368dda567ce423b1f0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Windows\SysWOW64\at.exeat 05:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1388
-
-
C:\Windows\SysWOW64\at.exeat 05:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1344
-
-
C:\Windows\SysWOW64\at.exeat 05:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3816
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD50f89cb47a9d243d37119358b17e7a986
SHA1f7d48d3d456af685ee9a983ddc8f37b1d282c316
SHA256b60698d5a14e206ecf5d7fe53a6478ca6342cd2f4d247ce60653165346f312e9
SHA51268f6e2b0290c046c723286e844cafab86836df80698e18efdbae96c078132177bf667b0f712f80002598a035e6e0beb212c12ffe91c184bed97346ef76570dcd
-
Filesize
66KB
MD52a165bf570d2c00e4d6f92abd00f77af
SHA153626d33de3b37e1a6688a6583e15580e03b013a
SHA25612b0261518709cfab846fafed09697578c11be913490dd4e5c23b9714b7d5290
SHA5126261deef5687dccb2cf7e110d78128e2382c4d62d60cb25ca62a0422e621e0332495662aaac8a980d9f609e772687735a916ae18ce4d2195b60273841ce7fcf5
-
Filesize
66KB
MD574db2aed9c6fce6a0ca1282e5423fa73
SHA18442a7407edb1ee325725280463e7b4c6944e42a
SHA25673a4b77cc662010c7f1f89d9589b0ce17e775ad2bf6e8cae444a5f68ccdc6c47
SHA5128c24a195f63d9174ebbdc42dba20f497ac820e5c66a34354540d378bf2b4c94df3530b09e9499b80c111d47119d69c9cb9738c44bcdb00a4f9f160f0282d00fe
-
Filesize
66KB
MD59991f43d0b234a62396f0a51cf224468
SHA19c02ae02eaad3ce9b889bf2420e883f4e86abb55
SHA256bca2e84feea534f2b5033232666664e709a63061db0fc74c60ec202040bc4c5d
SHA512f3d2a7aa6cce5e57d370b9bfdee321d859be14c51a1a447f2f3f1f7c3735dfd66795812290eb6ce9580f24b35ad822bdeff79430c3d78297667f8f3a63660766