Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

6a56db9007...cs.exe

windows7-x64

8

6a56db9007...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    78s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe

  • Size

    232KB

  • MD5

    e63363b5821c2d5a191a739c6a1656a0

  • SHA1

    4446e08d4c95444d2f761a4737a3aa48485e7bb5

  • SHA256

    6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4

  • SHA512

    15b1a9b3e79966c1266efdc540189a219ec954b34672476aea806d5756d60a6a9e34dbb631bcca6fe33748487ca4e900607bd75cf729ec8a2e6d9ba0488303c2

  • SSDEEP

    3072:s1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:ai/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score
8/10
defense_evasionpersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 23 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:1308
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:3288
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4124
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:4784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Views/modifies file attributes
        PID:1420
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:5008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3420
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • Views/modifies file attributes
        PID:3604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\windows.exe
    Filesize

    232KB

    MD5

    17b2657c69964dd0f238a3201e8d35d6

    SHA1

    d6686c7abcb9b6e633af1b39d5b366b633fd99e8

    SHA256

    324e2982586d2398f3d334752d1d7dc607ceb0e7c9597d45fda8695b2ad33d1b

    SHA512

    e6cd16df2336b43576bf1560b85209ce36ae8214a9380d0fc9f61d3afb7edf9b1514f9cc24cfca7447b4228f7f8c6b50ed9d15b084c1b858457887650ef9971a

    Download Submit

  • C:\system.exe
    Filesize

    232KB

    MD5

    13e54971750a22edacad34439450a3f3

    SHA1

    bf4f67d43109a3cbc165952ef3a6bb6d049983ef

    SHA256

    aa51ad5baaa08f597e19c9af40dd0972d7b3eba280ac01e0e5e08924ae376e1a

    SHA512

    c72c5c656c3674d184d06a899b2ee88652db0ed84d60e41877751ce547a1e000dc97c00942ecf543ee9585397e4cbb8fe0470dd89424553072774b05b3496505

    Download Submit

  • memory/2168-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2168-12-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download