Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 06:57
Static task
static1
Behavioral task
behavioral1
Sample
5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
5dbca57b201b24cf86387e90b35b28a0
-
SHA1
467f93a895a8c2242c52d3ee279935aec8af69c8
-
SHA256
34233911c8a1a874ee4009b7bd6b36a558aca7dcb12f443cbe8877f7968b968c
-
SHA512
b33a59e39890b98b5d91329044ebd3fd233c3ae4a4d7ccc2f9cef38f82f8eedf701dd9c957908b33fe89cbb46d74c160ca744e4cc1931a9a8976d48ed54a399d
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi/VVVVVVVVVVVVVVVVVVVVQ:IeklMMYJhqezw/pXzH9i/VVVVVVVVVVs
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 1020 explorer.exe 5056 spoolsv.exe 4036 svchost.exe 4996 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 392 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 392 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 1020 explorer.exe 1020 explorer.exe 1020 explorer.exe 1020 explorer.exe 1020 explorer.exe 1020 explorer.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe 4036 svchost.exe 4036 svchost.exe 1020 explorer.exe 1020 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1020 explorer.exe 4036 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 392 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 392 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 1020 explorer.exe 1020 explorer.exe 5056 spoolsv.exe 5056 spoolsv.exe 4036 svchost.exe 4036 svchost.exe 4996 spoolsv.exe 4996 spoolsv.exe 1020 explorer.exe 1020 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 392 wrote to memory of 1020 392 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 83 PID 392 wrote to memory of 1020 392 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 83 PID 392 wrote to memory of 1020 392 5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe 83 PID 1020 wrote to memory of 5056 1020 explorer.exe 85 PID 1020 wrote to memory of 5056 1020 explorer.exe 85 PID 1020 wrote to memory of 5056 1020 explorer.exe 85 PID 5056 wrote to memory of 4036 5056 spoolsv.exe 86 PID 5056 wrote to memory of 4036 5056 spoolsv.exe 86 PID 5056 wrote to memory of 4036 5056 spoolsv.exe 86 PID 4036 wrote to memory of 4996 4036 svchost.exe 87 PID 4036 wrote to memory of 4996 4036 svchost.exe 87 PID 4036 wrote to memory of 4996 4036 svchost.exe 87 PID 4036 wrote to memory of 1528 4036 svchost.exe 89 PID 4036 wrote to memory of 1528 4036 svchost.exe 89 PID 4036 wrote to memory of 1528 4036 svchost.exe 89 PID 4036 wrote to memory of 4284 4036 svchost.exe 101 PID 4036 wrote to memory of 4284 4036 svchost.exe 101 PID 4036 wrote to memory of 4284 4036 svchost.exe 101 PID 4036 wrote to memory of 968 4036 svchost.exe 104 PID 4036 wrote to memory of 968 4036 svchost.exe 104 PID 4036 wrote to memory of 968 4036 svchost.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5dbca57b201b24cf86387e90b35b28a0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4996
-
-
C:\Windows\SysWOW64\at.exeat 06:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1528
-
-
C:\Windows\SysWOW64\at.exeat 07:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4284
-
-
C:\Windows\SysWOW64\at.exeat 07:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:968
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5d30988ab2e961c97727fb59e8a2a46fa
SHA1697a178ea3b272ceaf9b15d5bc20daa6d6fe35cd
SHA2560bd1ff64f5b752ce0d77b1a6414f1c09d3a1c9a562a43f1285ed052a58707363
SHA51230f1aabc667a159aeb522f85657a214b4a43f23e60b4c98263acbf674658dc3e23bcc2793680b55289b0dfb5adb44036d5e7dc500cd9d279a791c8d81f89de0a
-
Filesize
66KB
MD556df585528ed1aa147c0809fdde8dfa0
SHA16c47265d9ac707f57d5cf0c3308ceb644193682c
SHA256b1f11a0e61b2a94df44a43e4f8352edc9def7a9f829a4e3a570a98fb424f84ac
SHA51290f3c99be5f5358c64f817c9ed420bfaf76f9b37338e980cbce8acd0f32b651f80d0593221c760bfb78edbdc0d7e927e0584b9065725f4965633d51a75595e98
-
Filesize
66KB
MD5928c42d879bfdd9df338366578ac90a6
SHA1898d1b8c07d6ff3501b16d69a6f0de7bc34da59b
SHA256aad0b119ec073a6ef03a5b29fcd5bf0958f6495cb0cd4909da5ff0e3e61df277
SHA51246018d823728c38bef7d50b9592f1e46cf023e693898a0e162d44831c8d05377d9454cd76752f7ba31dea70fb2692e92952e8352b27b4486d305a58481bb2244
-
Filesize
66KB
MD5890ee349be7b140845db2a4619aed148
SHA116da88d1c8c3e035025524ba1a7fdb971f0a2c63
SHA256b00685f5bc6b388a03aa3e8cd093f3cfe38869769a102217d27a2436e255963d
SHA51271724fe67fd15950b0b7fc20ccef28066e7109df0dde0f76e815909eee05a94e0acaeefedca726efb934f26866f5867128e39010be0226327f5489651e1ae732