Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

1afe4c5827...cs.exe

windows7-x64

10

1afe4c5827...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 00:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    c7c08910097d82602c345146ce16afd0

  • SHA1

    b4904411974aaf7bd3eb2b18d2f2bbda157a62b3

  • SHA256

    1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12

  • SHA512

    7fe8a2a4856338dcb1bf3cdb397e4434bcabf31cd01b4e36ad3e93e6a2a622dc8dc7cba3f7d3e4a405f9650acce37094c4ea79b730a91167825b0caec303ed1a

  • SSDEEP

    1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiCJRtlEnBHHIgabuYotV/JbJCX5SBi:XvtYxOuYotvYQICvtYxOuYotvYQI

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:548
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2280
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4616
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1424
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4776
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1936
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3016
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    90KB

    MD5

    057ddda5cf2ac52312628ad297f60191

    SHA1

    53f9e77cd59b663adee515126cbc2a7b69b77f04

    SHA256

    2f24b6d5b8975158dfe0799b6fdb6ff982294a02c420df28773974c86ddaf12c

    SHA512

    1ab63e629b2981f58c7ed04119681c7b79c2be78ac67b9ffbe80f935668e387be5f804cf3760ad634ea6ca1a85053a379ab268aab0a5eb8046fa488373e668d9

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    90KB

    MD5

    37c53a91685e3ca7e4182773886cecb8

    SHA1

    f98cf3ca4c927998bfe4555be25e1e0edd55474c

    SHA256

    59b9c523428c04054ce156e6c733d8dfda9912bf41ba164a813a6b54f82db19c

    SHA512

    4b4331d00cee2e5e9cfbb23f39be42decddb5970b74147703f0acbcb58bc3b5a3d7f568e95f1b46241b1e998c9c96318bdf08fbcc0b14f692eacf7ece809f72d

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    90KB

    MD5

    4880f5a9b977a0ee17c7d3c188970298

    SHA1

    43eb95b4ef1e33d56b90cd48891dd33eeab53dca

    SHA256

    71bde26c85283fbfda40f0ae3a909c265f9689a5f1e8e93fda80483cd2d03f33

    SHA512

    ffa93ff71b374fbc88089bec39982acfe22838f3269fb44e5bab36917e71f885f00a4fbcc0373739d24236e24b18687aaa3679aaee54e803a7ad34b3d16060ef

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    90KB

    MD5

    3ded00f62d2d8e2106a965035d338128

    SHA1

    13296d8159d2741952ebb82ce6c964bf24a6b8a5

    SHA256

    cdcee5ec232d6e2c39de5b0f934ad16e831daf3145a9ac681829fd0b4aa44386

    SHA512

    1a61c492e6ef009ad4a6457042b4d83dd46c27ea9aea44349e523acaa1575ecbb6730eda591f5934fa16d391d1c16bf508c56682b84472c18434101b089b5a06

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    90KB

    MD5

    c7c08910097d82602c345146ce16afd0

    SHA1

    b4904411974aaf7bd3eb2b18d2f2bbda157a62b3

    SHA256

    1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12

    SHA512

    7fe8a2a4856338dcb1bf3cdb397e4434bcabf31cd01b4e36ad3e93e6a2a622dc8dc7cba3f7d3e4a405f9650acce37094c4ea79b730a91167825b0caec303ed1a

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    90KB

    MD5

    b2bb779f710af6c6083ec70a903f15a0

    SHA1

    69458b39c25b5ce630e00004452d2e289d69b020

    SHA256

    f969b88e8cd06799be34f1b7517134c3a6750f7b777448619bd8bfe23fbf1cc0

    SHA512

    d80b5093ef9ba75c27e286cfefa7a6d62dfced88392fd1faa46a436e9672d3b88aa46b480f92e7e17e94668fc57c27f09f7544d471032225017dba530e9099dd

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    90KB

    MD5

    998c630a849b3f4ad9ff893c5f0d0305

    SHA1

    57d2bb22ace6b9196ee70ae039781a763709de4b

    SHA256

    6b283250a142de5bb131279db2db071b314cf492c580b1ec4b298ea5c31ff7a8

    SHA512

    429def07b4c7f939c13fc53f062f2d31574f5e6eabca75d20babe9a2c394ef62f01ce99d609815ea4c42795bff55c4609c8b91f1ac1e1beb6aac0f0e80bf6475

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    90KB

    MD5

    2fbc7b2f6137118e42955ca6fa8f6263

    SHA1

    d4dc793bc776b0b7cdd14291dacc948cb12d0d8b

    SHA256

    00f14bf27d1974fbd13e7345d847154c63fc1077ca57d6c6c89f2e7573f9448c

    SHA512

    ce4e4aba1fb96a86f7e60dd19deabfbaadbd8c9e93df6b963b88662f90614728e3e01735ee312b2fdef4cafb4e4b0c6ab24a1a55d17f92e873518a94097e22ed

    Download Submit

  • memory/548-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/548-156-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1424-128-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1932-154-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1936-137-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1936-142-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2280-113-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2280-108-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3016-147-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4616-115-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4616-120-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4776-134-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download