Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 08:10
Static task
static1
Behavioral task
behavioral1
Sample
2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
-
Size
206KB
-
MD5
2a5d37ef371d04f388314db0d46fefc0
-
SHA1
6e499e82ee0aa7f0f490a6f6f83dfaa450fa76cc
-
SHA256
fbca5bf7c9222d3244b16c78e37c2c6e4a6ae13e9f6d9936e222753a698b476c
-
SHA512
19a3599cd87777557f84024189f251ca62ecf8f551b30fc17cc0348b2be30e468c029907fc2457219f6799092c01e0dcba087f6f81b84f6bbb9f4645019e066f
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL8:5vEN2U+T6i5LirrllHy4HUcMQY6K8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2592 explorer.exe 3060 spoolsv.exe 2084 svchost.exe 2776 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1252 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe 1252 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe 2592 explorer.exe 2592 explorer.exe 3060 spoolsv.exe 3060 spoolsv.exe 2084 svchost.exe 2084 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1252 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2084 svchost.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe 2592 explorer.exe 2084 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2592 explorer.exe 2084 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1252 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe 1252 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe 2592 explorer.exe 2592 explorer.exe 3060 spoolsv.exe 3060 spoolsv.exe 2084 svchost.exe 2084 svchost.exe 2776 spoolsv.exe 2776 spoolsv.exe 2592 explorer.exe 2592 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1252 wrote to memory of 2592 1252 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe 28 PID 1252 wrote to memory of 2592 1252 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe 28 PID 1252 wrote to memory of 2592 1252 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe 28 PID 1252 wrote to memory of 2592 1252 2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe 28 PID 2592 wrote to memory of 3060 2592 explorer.exe 29 PID 2592 wrote to memory of 3060 2592 explorer.exe 29 PID 2592 wrote to memory of 3060 2592 explorer.exe 29 PID 2592 wrote to memory of 3060 2592 explorer.exe 29 PID 3060 wrote to memory of 2084 3060 spoolsv.exe 30 PID 3060 wrote to memory of 2084 3060 spoolsv.exe 30 PID 3060 wrote to memory of 2084 3060 spoolsv.exe 30 PID 3060 wrote to memory of 2084 3060 spoolsv.exe 30 PID 2084 wrote to memory of 2776 2084 svchost.exe 31 PID 2084 wrote to memory of 2776 2084 svchost.exe 31 PID 2084 wrote to memory of 2776 2084 svchost.exe 31 PID 2084 wrote to memory of 2776 2084 svchost.exe 31 PID 2084 wrote to memory of 2956 2084 svchost.exe 32 PID 2084 wrote to memory of 2956 2084 svchost.exe 32 PID 2084 wrote to memory of 2956 2084 svchost.exe 32 PID 2084 wrote to memory of 2956 2084 svchost.exe 32 PID 2084 wrote to memory of 2032 2084 svchost.exe 36 PID 2084 wrote to memory of 2032 2084 svchost.exe 36 PID 2084 wrote to memory of 2032 2084 svchost.exe 36 PID 2084 wrote to memory of 2032 2084 svchost.exe 36 PID 2084 wrote to memory of 2288 2084 svchost.exe 38 PID 2084 wrote to memory of 2288 2084 svchost.exe 38 PID 2084 wrote to memory of 2288 2084 svchost.exe 38 PID 2084 wrote to memory of 2288 2084 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Windows\SysWOW64\at.exeat 08:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2956
-
-
C:\Windows\SysWOW64\at.exeat 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2032
-
-
C:\Windows\SysWOW64\at.exeat 08:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2288
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5e22201c5eba32881dcd911834885571d
SHA10e5dea67447ef3ab3752153dbb43863034edb2e7
SHA256cb584f9806fffeb68c377a004fb37300d0c8182439353a03d1cf5b81706b643d
SHA51214bdc96335888a9bb3b0c77e892a5d391c87e860fe39201ff18cba29a94a20cbdcb9dc4fef8378ad7c40e073c30abd67048403f149d587b555d54610bfe8a4b8
-
Filesize
206KB
MD5042e943b08cd37d5337cc952602fec17
SHA117d2b92942c178ba900b34a14a99b8da6c7dcef8
SHA256c08526681c39043a579ae4659ad07217cadb694158278ff7739343d74983000f
SHA5125132d7886d46177610333bcb6803a7857eae1f320855e7c3cae9b5deeee1f1898da72804e3ada906573d86a3d80510f84e82755bac2fd2fb038446163f6b2ecc
-
Filesize
206KB
MD51e1070f27d94f7ba268e970e0270e772
SHA10f3b01c02376fa36365b29ed3832c8e4dc685ab0
SHA25621ad7b73f48223b8c68667ff6ed1fde2323977cbd7dcacfa917d619ed40bdcec
SHA51296c3d3a72450711ff84fd80f1f38423eff031f12eac92cdfe76b5797070b6f1eed272c01c1dba2b071a37e01dda74cee29b67eba228a9d27921610e63d20d336
-
Filesize
206KB
MD50e7a32c6baeb009843291dd773dbf2d3
SHA1254b3daa68151326e6c3c69153ccfcd25af09873
SHA2569037e158478e55a26acbc18fee46d757d3e9d1b6247e13e917dc416182d0e5ef
SHA5122cb056cae2afa25cc2fb65da0865207798db0b80eeffa5f4bf11298770fd56f868f2aed038bd4104c80d6b3b0a262ed7b724a19c82bb6c9655d4b11216cc99da