Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 13:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe
-
Size
73KB
-
MD5
80e1270ec98ef88546108876dc62e490
-
SHA1
405faa42a8f1aa30f725fa1085cbf37047aee980
-
SHA256
0f8c1fde7835deb96a07cb49c5e9c4e6678376663988fcade656b69cb9ad8fe6
-
SHA512
4ec8d110ee2df2f77f9c04a7eac9f9372f5a2ebddec4a61e1ac2902774911923839a7bf60a52d261a647477f069cc7e2e2e3c14208a52893dc567be33a0bdcbb
-
SSDEEP
1536:x3jgs+6phKAQx5c895P5Zxuyowea2eJYIuv1iahWuSxaqMXSmH:BTdphKRxR95P5Zhowea2yuv/hWuSxa9l
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" eanvearoh-uted.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858} eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\IsInstalled = "1" eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\StubPath = "C:\\Windows\\system32\\ulgapox.exe" eanvearoh-uted.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\lvobok-eabid.exe" eanvearoh-uted.exe -
Executes dropped EXE 2 IoCs
pid Process 2864 eanvearoh-uted.exe 1324 eanvearoh-uted.exe -
Loads dropped DLL 3 IoCs
pid Process 2064 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe 2064 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe 2864 eanvearoh-uted.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" eanvearoh-uted.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" eanvearoh-uted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} eanvearoh-uted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\uxgoateap.dll" eanvearoh-uted.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lvobok-eabid.exe eanvearoh-uted.exe File opened for modification C:\Windows\SysWOW64\eanvearoh-uted.exe eanvearoh-uted.exe File opened for modification C:\Windows\SysWOW64\eanvearoh-uted.exe 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe File created C:\Windows\SysWOW64\eanvearoh-uted.exe 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe File created C:\Windows\SysWOW64\lvobok-eabid.exe eanvearoh-uted.exe File opened for modification C:\Windows\SysWOW64\ulgapox.exe eanvearoh-uted.exe File created C:\Windows\SysWOW64\ulgapox.exe eanvearoh-uted.exe File opened for modification C:\Windows\SysWOW64\uxgoateap.dll eanvearoh-uted.exe File created C:\Windows\SysWOW64\uxgoateap.dll eanvearoh-uted.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 1324 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe 2864 eanvearoh-uted.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2864 eanvearoh-uted.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2864 2064 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2864 2064 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2864 2064 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2864 2064 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe 28 PID 2864 wrote to memory of 436 2864 eanvearoh-uted.exe 5 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1324 2864 eanvearoh-uted.exe 29 PID 2864 wrote to memory of 1324 2864 eanvearoh-uted.exe 29 PID 2864 wrote to memory of 1324 2864 eanvearoh-uted.exe 29 PID 2864 wrote to memory of 1324 2864 eanvearoh-uted.exe 29 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21 PID 2864 wrote to memory of 1228 2864 eanvearoh-uted.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\eanvearoh-uted.exe"C:\Windows\SysWOW64\eanvearoh-uted.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\eanvearoh-uted.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD52380bed18672709b46c864186d67125b
SHA101155b4d6e2d4191b641007b91bfa8b5bac8f63e
SHA2565643503d2c8b0d52ae3a9e1d8e67f57633fb61bd84391b8aba5200322c27f95c
SHA51266923d69489cd0b2da9effabe356b1a843bf84863b6c4556db1aa7003d96df069c45c97ef9d29f8ba8d260306b28687ca9e45f8bd6bfa34fab9c19bb96f5dba9
-
Filesize
73KB
MD50be0aee1b301f8817b746f6c1bc58fe5
SHA1a02ab17c0b5c592d176da6111c8b74a2b3d785cc
SHA25612fe51117b2b00cd96cc429f0dacbcca90a655498d46280660be9a23dca27037
SHA512af8ce1c7092a21aa6df65b56f634d4f0cfde9c2c97888e9edc5ad2cdf386fe9dd3f6eb25db207ce8d82c9fac57ccbb2e5a161f8e431eb7b598b2ea3d91fb8733
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
71KB
MD562a1c2e92143b04db8b04cba7de882ae
SHA10e7cde87e133f441b7d4a9fcca14f9403e854863
SHA256c602983438e58f291ace2f8435783e664de934c8d14533cb078012e367bc11b9
SHA512a0e05ae7d9bb6b48851f0851548c2e31fd918f2e6f6c6c5c696efe76df1bbf7af23705a682f301384c22ffc47e7a20536d87fc6e0473ce3cb8134b09822baad6