Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 13:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe
-
Size
73KB
-
MD5
80e1270ec98ef88546108876dc62e490
-
SHA1
405faa42a8f1aa30f725fa1085cbf37047aee980
-
SHA256
0f8c1fde7835deb96a07cb49c5e9c4e6678376663988fcade656b69cb9ad8fe6
-
SHA512
4ec8d110ee2df2f77f9c04a7eac9f9372f5a2ebddec4a61e1ac2902774911923839a7bf60a52d261a647477f069cc7e2e2e3c14208a52893dc567be33a0bdcbb
-
SSDEEP
1536:x3jgs+6phKAQx5c895P5Zxuyowea2eJYIuv1iahWuSxaqMXSmH:BTdphKRxR95P5Zhowea2yuv/hWuSxa9l
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" eanvearoh-uted.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}\StubPath = "C:\\Windows\\system32\\ulgapox.exe" eanvearoh-uted.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42} eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}\IsInstalled = "1" eanvearoh-uted.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\lvobok-eabid.exe" eanvearoh-uted.exe -
Executes dropped EXE 2 IoCs
pid Process 2032 eanvearoh-uted.exe 2348 eanvearoh-uted.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" eanvearoh-uted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" eanvearoh-uted.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" eanvearoh-uted.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} eanvearoh-uted.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" eanvearoh-uted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\uxgoateap.dll" eanvearoh-uted.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lvobok-eabid.exe eanvearoh-uted.exe File created C:\Windows\SysWOW64\uxgoateap.dll eanvearoh-uted.exe File opened for modification C:\Windows\SysWOW64\eanvearoh-uted.exe eanvearoh-uted.exe File created C:\Windows\SysWOW64\eanvearoh-uted.exe 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe File created C:\Windows\SysWOW64\lvobok-eabid.exe eanvearoh-uted.exe File opened for modification C:\Windows\SysWOW64\ulgapox.exe eanvearoh-uted.exe File created C:\Windows\SysWOW64\ulgapox.exe eanvearoh-uted.exe File opened for modification C:\Windows\SysWOW64\uxgoateap.dll eanvearoh-uted.exe File opened for modification C:\Windows\SysWOW64\eanvearoh-uted.exe 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2348 eanvearoh-uted.exe 2348 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe 2032 eanvearoh-uted.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2032 eanvearoh-uted.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4956 wrote to memory of 2032 4956 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe 84 PID 4956 wrote to memory of 2032 4956 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe 84 PID 4956 wrote to memory of 2032 4956 80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe 84 PID 2032 wrote to memory of 2348 2032 eanvearoh-uted.exe 85 PID 2032 wrote to memory of 2348 2032 eanvearoh-uted.exe 85 PID 2032 wrote to memory of 2348 2032 eanvearoh-uted.exe 85 PID 2032 wrote to memory of 616 2032 eanvearoh-uted.exe 5 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56 PID 2032 wrote to memory of 3480 2032 eanvearoh-uted.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\eanvearoh-uted.exe"C:\Windows\SysWOW64\eanvearoh-uted.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\eanvearoh-uted.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD562a1c2e92143b04db8b04cba7de882ae
SHA10e7cde87e133f441b7d4a9fcca14f9403e854863
SHA256c602983438e58f291ace2f8435783e664de934c8d14533cb078012e367bc11b9
SHA512a0e05ae7d9bb6b48851f0851548c2e31fd918f2e6f6c6c5c696efe76df1bbf7af23705a682f301384c22ffc47e7a20536d87fc6e0473ce3cb8134b09822baad6
-
Filesize
74KB
MD524a184421bb37d4e24baca8517507dbe
SHA174c966068723441b417cf9cc229691b9b3d0a44f
SHA256112d52a113724b7e0d896496fb3e66960963a9e7ab556fc8e34e276fa1d39f07
SHA5121a6bc03bfe017914ff24e39837c6bc85d629e2327c983866450f7557765ba6d28aafe28965f5d1d260d0fb9f83870630ed93a5d6d6ef99eda18ec1f4bd8c971e
-
Filesize
73KB
MD5709fc01200dee0de75b2606bbe42777c
SHA1a354eb6676fbbef9bfb002e049d8b1fe1d45bbde
SHA25699b716862f075f955e50851baab7d43632c08b6aefcbd62deba8e1231ec4afb7
SHA5129ac787187001b40b4f96d6eafe22088f13890fb40b73cecd8f37f942d9c89e3d9037ebd4a7aff87565a765842ab07ea631d18ff56c163c5cb21d1af62d012e6d
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4