Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

256790a9c5...cs.exe

windows7-x64

10

256790a9c5...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    256790a9c5b61eac61c88fc946501a50_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    256790a9c5b61eac61c88fc946501a50

  • SHA1

    65ea5473cdafb9b124eebd780f5f305e4d88303c

  • SHA256

    290549df7c08227c1f9f25d25264ba6cb6420200c0277ebb3c3c50b6e1886cbe

  • SHA512

    709c473b64384f40b89f5e5bd9c50c624d6dba9dac752ec5e3bf7da42875a50140b5fb13cc872d9a11d4755d18eb44e7b2c1528b86dcdb90b4902b266a6ea853

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXia:IeklMMYJhqezw/pXzH9ia

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\256790a9c5b61eac61c88fc946501a50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\256790a9c5b61eac61c88fc946501a50_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4180
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2516
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5088
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3852
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1152
          • C:\Windows\SysWOW64\at.exe
            at 03:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3724
            • C:\Windows\SysWOW64\at.exe
              at 03:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3976
              • C:\Windows\SysWOW64\at.exe
                at 03:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4732

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          15e98da64aecbd6534c452d8b4c97091

          SHA1

          015fbb5461543645d1d32670505560ef81099a6f

          SHA256

          b7bc3412171e5a42299c87904fb272d9da8740e4d1cda68f8b9c5304eb8ad22f

          SHA512

          8abb0c7e6b5fddb4f9c7e360a5e9f24bc7e85fc0fba4641afa357fbc74d48adb65cab7e850af2fbda9a8c39c6cf3f2382eb3bc84fb35d968ec0d2969ebaa3156

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          c6d9d17cf20027c5b548c759a7d0148f

          SHA1

          b14d5c80bd58301bfd9cc54d9e0f4a0a8871cc2e

          SHA256

          16d1dcecfdb7a8e15308497a8d615a6e37c9eadd216a745a4a05c887519cc62e

          SHA512

          fc4ed9522b3976770a4dfb30767ba31ec62f799fb083fbc485af3c83aede2b41310520a691d8e528db79c1d21e078009ea06d96c44729d532551f7ccef7dbc5e

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          3d7df79732577c7d80eb979c00048ee7

          SHA1

          886ad3aefe555e9de25a89083207ac42dce9bac0

          SHA256

          c47e74ee54ff9e0c385afb239476d5f783b0c89cc2813c2328f52ca005b34ac9

          SHA512

          bb04d8d1f687ab3cd4da984285b1b972f9832903602aa696d328875dc131509b041cb3aed4f2b64f3e4579d24c14b0ed7c81a8d8ab822be44fe2bdcd3a2c886b

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          97bfb25916b157e6cf3a45373af9d593

          SHA1

          dfd6b9b4377e6a873b0f7c0f223b3dd0f11cc607

          SHA256

          8fc88d5800e68340a268b083874d7265439d8ffe585d823392e921f3a3e809fd

          SHA512

          5604b93879435fdd2e5fa4691bf18cd712569150eae179e226a0ddd23ae10716e377288bbf1c8d031561883f8eee391d363250f33a1fd7324ff627abf280ef6f

          Download Submit

        • memory/1152-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1152-43-0x00000000759D0000-0x0000000075B2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1152-42-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2516-67-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2516-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2516-15-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2516-13-0x00000000759D0000-0x0000000075B2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3852-35-0x00000000759D0000-0x0000000075B2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3852-39-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3852-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4180-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4180-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4180-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4180-55-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4180-2-0x00000000759D0000-0x0000000075B2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4180-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4180-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/5088-28-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5088-24-0x00000000759D0000-0x0000000075B2D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5088-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download