Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 01:18
Static task
static1
Behavioral task
behavioral1
Sample
22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe
-
Size
741KB
-
MD5
cc2e1d95832a728f5477c23ce4e53d00
-
SHA1
79a42c64269f2b69b274fff866230e508845f7be
-
SHA256
22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0
-
SHA512
f6cdd1bbedfed9f51341a2de2c4f5fd31090d6855cc9f845279c928dce8899c3c9bed09c397780aa2e13cffb8939e91dc7e02bca0c2af9f6586f582ba20da52c
-
SSDEEP
12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1Fh:lIt4kt0Kd6F6CNzYhUiEWEYcwp
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 3008 explorer.exe 2672 spoolsv.exe 2744 svchost.exe 2456 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 3008 explorer.exe 2672 spoolsv.exe 2744 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
pid Process 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 3008 explorer.exe 2672 spoolsv.exe 2744 svchost.exe 2456 spoolsv.exe 3008 explorer.exe 2744 svchost.exe 3008 explorer.exe 2744 svchost.exe 3008 explorer.exe 2744 svchost.exe 3008 explorer.exe 2744 svchost.exe 3008 explorer.exe 2744 svchost.exe 3008 explorer.exe 2744 svchost.exe 3008 explorer.exe 2744 svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2912 schtasks.exe 996 schtasks.exe 908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 2672 spoolsv.exe 2672 spoolsv.exe 2672 spoolsv.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2672 spoolsv.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2744 svchost.exe 3008 explorer.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 2672 spoolsv.exe 2672 spoolsv.exe 2672 spoolsv.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2456 spoolsv.exe 2456 spoolsv.exe 2456 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2044 wrote to memory of 3008 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 3008 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 3008 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 3008 2044 22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe 28 PID 3008 wrote to memory of 2672 3008 explorer.exe 29 PID 3008 wrote to memory of 2672 3008 explorer.exe 29 PID 3008 wrote to memory of 2672 3008 explorer.exe 29 PID 3008 wrote to memory of 2672 3008 explorer.exe 29 PID 2672 wrote to memory of 2744 2672 spoolsv.exe 30 PID 2672 wrote to memory of 2744 2672 spoolsv.exe 30 PID 2672 wrote to memory of 2744 2672 spoolsv.exe 30 PID 2672 wrote to memory of 2744 2672 spoolsv.exe 30 PID 2744 wrote to memory of 2456 2744 svchost.exe 31 PID 2744 wrote to memory of 2456 2744 svchost.exe 31 PID 2744 wrote to memory of 2456 2744 svchost.exe 31 PID 2744 wrote to memory of 2456 2744 svchost.exe 31 PID 3008 wrote to memory of 2520 3008 explorer.exe 32 PID 3008 wrote to memory of 2520 3008 explorer.exe 32 PID 3008 wrote to memory of 2520 3008 explorer.exe 32 PID 3008 wrote to memory of 2520 3008 explorer.exe 32 PID 2744 wrote to memory of 2912 2744 svchost.exe 33 PID 2744 wrote to memory of 2912 2744 svchost.exe 33 PID 2744 wrote to memory of 2912 2744 svchost.exe 33 PID 2744 wrote to memory of 2912 2744 svchost.exe 33 PID 2744 wrote to memory of 996 2744 svchost.exe 38 PID 2744 wrote to memory of 996 2744 svchost.exe 38 PID 2744 wrote to memory of 996 2744 svchost.exe 38 PID 2744 wrote to memory of 996 2744 svchost.exe 38 PID 2744 wrote to memory of 908 2744 svchost.exe 40 PID 2744 wrote to memory of 908 2744 svchost.exe 40 PID 2744 wrote to memory of 908 2744 svchost.exe 40 PID 2744 wrote to memory of 908 2744 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\22b586f97b11010cc55cd503043f180737052dca055c848178329f538c10ade0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:20 /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:21 /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:996
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:22 /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:908
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2520
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741KB
MD516ad4068ab5a76d98d225e759ee1eacf
SHA112e3b32f7f10b7a76272fb63ed009669ee6dcf03
SHA2565a28997363dfd11e7bb4a8bdfd07982c266013b3946886577c279a26b51ce9f0
SHA5125c5d857e7ae4ec36eb7f92b7714c7439a03e77fd6d781e5e3e3309a3a5a549758e7e310879f50549d5cc9b0cd96efd570fc9b01452ba9f2f31f1087e50bec088
-
Filesize
741KB
MD525e1606ef0c6929805329336ff8826bb
SHA124986d35e58f224058d5ac4ad20449bbb8545aa1
SHA256204b2ecd3c5e7fabe294b6d91d48b791d49aafe4ee3fe43b25c35e9d263911e0
SHA512b00f83b88811d6d3ec0a6e10c51be323c4c3d96a04659e0f006c061445a7a67679138947925dc7790bd8e41ec93bae9cebd46e69e760915b7a0a28473fd6c21a
-
Filesize
741KB
MD563ab80f53525d870fd49c04e410d0399
SHA12c160bb29fd9822e9a8f4e3a6f86845981142e78
SHA256e14430f41bf5c84d791cfa480df03300bb5c12a7fe9d39faead6338a741ae141
SHA5127c977d8d60a8afdb7775bf94aebf93b672b8c211741d4ceb36c898d9dccb8139aa451e61f7b7ff49671df920453c58eb1af456ab219225a78f050ceff88f1c6f