Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 06:57
Static task
static1
Behavioral task
behavioral1
Sample
5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
5dbca57b201b24cf86387e90b35b28a0
-
SHA1
467f93a895a8c2242c52d3ee279935aec8af69c8
-
SHA256
34233911c8a1a874ee4009b7bd6b36a558aca7dcb12f443cbe8877f7968b968c
-
SHA512
b33a59e39890b98b5d91329044ebd3fd233c3ae4a4d7ccc2f9cef38f82f8eedf701dd9c957908b33fe89cbb46d74c160ca744e4cc1931a9a8976d48ed54a399d
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi/VVVVVVVVVVVVVVVVVVVVQ:IeklMMYJhqezw/pXzH9i/VVVVVVVVVVs
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2312 explorer.exe 2484 spoolsv.exe 2520 svchost.exe 2368 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2556 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 2556 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 2312 explorer.exe 2312 explorer.exe 2484 spoolsv.exe 2484 spoolsv.exe 2520 svchost.exe 2520 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2520 svchost.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe 2312 explorer.exe 2520 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2312 explorer.exe 2520 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2556 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 2556 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 2312 explorer.exe 2312 explorer.exe 2484 spoolsv.exe 2484 spoolsv.exe 2520 svchost.exe 2520 svchost.exe 2368 spoolsv.exe 2368 spoolsv.exe 2312 explorer.exe 2312 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2312 2556 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 28 PID 2556 wrote to memory of 2312 2556 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 28 PID 2556 wrote to memory of 2312 2556 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 28 PID 2556 wrote to memory of 2312 2556 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 28 PID 2312 wrote to memory of 2484 2312 explorer.exe 29 PID 2312 wrote to memory of 2484 2312 explorer.exe 29 PID 2312 wrote to memory of 2484 2312 explorer.exe 29 PID 2312 wrote to memory of 2484 2312 explorer.exe 29 PID 2484 wrote to memory of 2520 2484 spoolsv.exe 30 PID 2484 wrote to memory of 2520 2484 spoolsv.exe 30 PID 2484 wrote to memory of 2520 2484 spoolsv.exe 30 PID 2484 wrote to memory of 2520 2484 spoolsv.exe 30 PID 2520 wrote to memory of 2368 2520 svchost.exe 31 PID 2520 wrote to memory of 2368 2520 svchost.exe 31 PID 2520 wrote to memory of 2368 2520 svchost.exe 31 PID 2520 wrote to memory of 2368 2520 svchost.exe 31 PID 2520 wrote to memory of 1544 2520 svchost.exe 32 PID 2520 wrote to memory of 1544 2520 svchost.exe 32 PID 2520 wrote to memory of 1544 2520 svchost.exe 32 PID 2520 wrote to memory of 1544 2520 svchost.exe 32 PID 2520 wrote to memory of 2324 2520 svchost.exe 36 PID 2520 wrote to memory of 2324 2520 svchost.exe 36 PID 2520 wrote to memory of 2324 2520 svchost.exe 36 PID 2520 wrote to memory of 2324 2520 svchost.exe 36 PID 2520 wrote to memory of 1712 2520 svchost.exe 38 PID 2520 wrote to memory of 1712 2520 svchost.exe 38 PID 2520 wrote to memory of 1712 2520 svchost.exe 38 PID 2520 wrote to memory of 1712 2520 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2368
-
-
C:\Windows\SysWOW64\at.exeat 06:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1544
-
-
C:\Windows\SysWOW64\at.exeat 07:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2324
-
-
C:\Windows\SysWOW64\at.exeat 07:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1712
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5c739077aa011cfd5e6bd9c6773f48588
SHA1998061551c4709b96b31fdcb3f86af86c919c6eb
SHA256cc703a00f5c13290ef060a14e07f53c7197c5dd3fa445273a19dd832dc4d14e6
SHA512e351ef09d6d4679fbaaf60b60651686aae53aff4535b372feabf1c5cf70051e56bc7fc97da5b269722644b4e9991a10fbe0977a6c9c5818d1af1fba932a2d299
-
Filesize
66KB
MD5755e787a5a942c795e5cc96ed40c4e0e
SHA19a23c56c9550f4dc160d90ce12300792fcaa6f2d
SHA256a80cacd93e52ae8d2fbe0c12440c44c510527d305ec5c398ab15432e4b8a3602
SHA5123f03273391a11ae0f806c379b6c8eb34b6ea313ee45929f5d0491d0e5681bd0108a47343b6b9de78054682be3a50d217aa4bea8c954d75ffed86ad2a98f91795
-
Filesize
66KB
MD5fcf10eb9dc56fc33d66dcb0cea7b90c1
SHA1546d09f3d285607d07136d3fd20514acbdcf418e
SHA2561546caab4a17d711e89cac8312b3a794cbbadaccd40acc9ccb0c26ca63dfc47b
SHA512adf0ac5356ea4d0f18ce9c3bea12cecb56ec94bce3444edbc7f9d3616b787d2e9d2341d22dd8fda3647f36309b320e12398dcedc6f0ef6400908f14dddfe5504
-
Filesize
66KB
MD51915d60ebd4d2a3a141526a5b1c6537f
SHA12f85a8efaad0d7f8d6b115ce1cf7e99af1465781
SHA2568e776c710ae756795cd8da8572ea5d422d948d03e8a92f873bdf2f309dcd17cd
SHA512fd47e3dec98eda36e7a4d1c875ca9172c2a34486b1ec43c944b9d67137576e29559a6bfd417e62bfed3dab58972a1e8f4c456ecd48e0f45ce7f5ffef623a1b24