Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2449161e8f...cs.dll

windows7-x64

7

2449161e8f...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 06:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2449161e8fa06ccd0b6519d6ff761820_NeikiAnalytics.dll

  • Size

    500KB

  • MD5

    2449161e8fa06ccd0b6519d6ff761820

  • SHA1

    55a8ed75679a79175ab528e93912e0e39aa7b044

  • SHA256

    ac142a0fb80e50e856e020a3a5f30ec31bb95114b91d75878ed1ff1307d080fb

  • SHA512

    a8cf2bc1dddfe35b00477a41fca6b822aa6aded77c38b122e5bbc2ec1a6274eba96183dfd26a6b42ae5190eb06346313b8ef0cd79d64c4795f396217aad962a4

  • SSDEEP

    6144:Mi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:nrHGPv5SmptZDmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2449161e8fa06ccd0b6519d6ff761820_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1692
  • C:\Windows\system32\MicrosoftEdgeCP.exe
    C:\Windows\system32\MicrosoftEdgeCP.exe
    1⤵
      PID:3212
    • C:\Windows\system32\taskhostw.exe
      C:\Windows\system32\taskhostw.exe
      1⤵
        PID:744
      • C:\Windows\system32\tcmsetup.exe
        C:\Windows\system32\tcmsetup.exe
        1⤵
          PID:4224
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\NSV.cmd
          1⤵
            PID:3612
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a08b51c-18ae-b8b8-79b6-366761e0ad6d}"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4580
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a08b51c-18ae-b8b8-79b6-366761e0ad6d}"
              2⤵
                PID:1456
            • C:\Windows\system32\odbcconf.exe
              C:\Windows\system32\odbcconf.exe
              1⤵
                PID:1660
              • C:\Windows\system32\AgentService.exe
                C:\Windows\system32\AgentService.exe
                1⤵
                  PID:4952
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\foVrzg.cmd
                  1⤵
                  • Drops file in System32 directory
                  PID:4916
                • C:\Windows\System32\fodhelper.exe
                  "C:\Windows\System32\fodhelper.exe"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4792
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\gf01M.cmd
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:840
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Create /F /TN "Bjikfkop" /SC minute /MO 60 /TR "C:\Windows\system32\7531\AgentService.exe" /RL highest
                      3⤵
                      • Creates scheduled task(s)
                      PID:3264

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\1492F.tmp
                  Filesize

                  504KB

                  MD5

                  4459d6b6d7fc74b1057b276a7523b875

                  SHA1

                  30fecfa13359a44f3ee5238c2762fa95a3cc5bbb

                  SHA256

                  6a58bc36894903a12dcd4e2759f0ddaf06be9e918330439bd0fca57c5894bad0

                  SHA512

                  6c78e7b1dbb66ea6629249a55cf1b4822de999f75ad11e7e453bd705859ef5bec0e4ea258e4e2b88a58ff230e70c24f981e388b7106d556768c81caf6a230838

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\NSV.cmd
                  Filesize

                  236B

                  MD5

                  ca6afa413684cb40b463f01d125e9857

                  SHA1

                  5226c3db6ad640f1e97036234c2b21a7125d7571

                  SHA256

                  6263bb1e968235d92b66b1d8b121a6c24812e57ada8c3f54c22493024907b6d4

                  SHA512

                  98bf3f72843cabe08e01caa75800c2760cdbf52bebe05b46d19d28a695e704578df1de6d048b019eb8563c3e48450eb08cef3f4f30fe72f77f9bc7828bb9ee72

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\foVrzg.cmd
                  Filesize

                  198B

                  MD5

                  3a4af33fae3936c0ace226bad4f1f605

                  SHA1

                  a11674936d501c2cb53d3db1ef2233e844e6ca10

                  SHA256

                  9707ae17d1d797928f73fc77c94eb19ffcc8e09d668321df8acfe13ae5d165b4

                  SHA512

                  50124a2f748aec10d31d45253993b1293ad917c15db75ae51cc9d787d7a89206cdfbfa9e948b7028b5c0d4a09c86dd63ca968f1de1739d564f9d6717bc071849

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\gf01M.cmd
                  Filesize

                  131B

                  MD5

                  ca7306d45ddf2467eb4025c7f8c95232

                  SHA1

                  fc55757adcf02b0cd4c964b447d30ec218a77ee5

                  SHA256

                  761e24488a6dd05a16e6481d8228bed5d775a22e29a97769f89346476af5245d

                  SHA512

                  5192021d998c988ba18a8207634d2336dd510cb02a42dec8492daf7111ca8b8d38e95afbd2677905a4facc797a4aa1e187d1b2fa9fe18dc2b623604af6977081

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\p0346BD.tmp
                  Filesize

                  508KB

                  MD5

                  4b28a5e6adebdbe34d41e07cdbfbfa11

                  SHA1

                  d1a0f9f237384cc0491aab85cb35738fd288bf27

                  SHA256

                  6f136fce4b3b76e41480d24eddf634660dfaf3725616b5f157a14a3539bde43d

                  SHA512

                  3ac71cd7266ce8c9284afab695a75ae6beb56ea813fa5d26c98a9604daa9f1118a51ed4e9706729e11eb479e06dc75330c7729722eb2404ab856389b2ba9c86c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tyoytnnsf.lnk
                  Filesize

                  914B

                  MD5

                  b003bebff468be10dccf8bd709882497

                  SHA1

                  a983a2bed9bbefca38ec2f89cc966957f32e8dab

                  SHA256

                  3a73740792d2e71600f2f6a8c0f6a1d584b7b33288b7a51e97e750f75bbcb381

                  SHA512

                  1768dec4b37c3f0206e3d6c699fd73614211bd7223ce3e8efe0dfa5417a7950e4a41047b226d304787c8a3f66b431a922ad2201029583c571a35035f76cf9275

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\WA5lIwZ\tcmsetup.exe
                  Filesize

                  16KB

                  MD5

                  58f3b915b9ae7d63431772c2616b0945

                  SHA1

                  6346e837da3b0f551becb7cac6d160e3063696e9

                  SHA256

                  e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

                  SHA512

                  7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

                  Download Submit

                • memory/1692-0-0x00000182D5E50000-0x00000182D5E57000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1692-1-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/1692-5-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-16-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-11-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-24-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-23-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-20-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-19-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-18-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-17-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-27-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-15-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-14-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-13-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-12-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-25-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-10-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-46-0x00007FFB5ACA0000-0x00007FFB5ACB0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3460-9-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-8-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-7-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-21-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-44-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-38-0x0000000000590000-0x0000000000597000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/3460-34-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-55-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-26-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-22-0x0000000140000000-0x000000014007D000-memory.dmp

                  Filesize

                  500KB

                  Download

                • memory/3460-6-0x00007FFB58DBA000-0x00007FFB58DBB000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3460-3-0x00000000027E0000-0x00000000027E1000-memory.dmp

                  Filesize

                  4KB

                  Download