Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/06/2024, 23:18

General

  • Target

    22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe

  • Size

    320KB

  • MD5

    322787fce3c3628b042cc40b173fbf20

  • SHA1

    4fd9aa74c6030fecb7dd30ec7537a224e1d78e53

  • SHA256

    22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215

  • SHA512

    984a1fbb3e7d9570f6a8d8e4381a088d9374474b1887d688aa1c7c3d44f9c69e4da6e8bf9be48624f10ac143598ba53923781d3873d8af7ebc0508422413cb77

  • SSDEEP

    6144:xTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:JXgvmzFHi0mo5aH0qMzd5807FRPJQPDV

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 20 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\22d420983456928941372e92d0fafe5e22b7e0de4f5f8fa1a7e18894147a3215_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
      "C:\Users\Admin\AppData\Local\Temp\adlryhl.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:1236
    • C:\Users\Admin\AppData\Local\Temp\adlryhl.exe
      "C:\Users\Admin\AppData\Local\Temp\adlryhl.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi

    Filesize

    280B

    MD5

    ce9cbfbc784d41c24e2b4f2ff041ff90

    SHA1

    a302cf4e18e253e165b1be2fddfbd36dacd9c271

    SHA256

    c13bf3898c963710cf660133e187b447a9a2e7172d67ff58bd2443f381ed2a15

    SHA512

    16b098ddf462b62a942c4d3a5e66818c995f8be01be1fefab3a88680b013b9991e9f7d88747bb2fb456082170f556ce2fd69c90938f5174fded0b583af7c21cf

  • C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi

    Filesize

    280B

    MD5

    e258c7a486f4dc322eaf86b343ee0aa3

    SHA1

    d8c54b2c5628a85811ece6f0bb8eb35835d75017

    SHA256

    9e7c01fe48cc65a922fa3fd577eb427a6e7a5c30c8bb39553ece5826b7aaee2a

    SHA512

    0fe95a7f4b77ba62d73a4231acbf8548ad422cf5545fb8571b07daf156570464b607aa3455e4dd672b9c71678fe31c0abf3a0dbb866f9bf463c1ee9ea0dd1843

  • C:\Program Files (x86)\ebddehfkkrzhbmwnlvsuuvy.bbi

    Filesize

    280B

    MD5

    c14409e3dacfc0cfdc6984349dcb40f3

    SHA1

    9904c0e5d8f1480bf8d954147740de91963eb754

    SHA256

    333308d94d1d4ed5fea3a74f8abc3dd1aa3b625eec604cc7e6f746d70de8c1f0

    SHA512

    51576bf46a5392d1371f8c74d3f6c954c41be8d9c3f25ab9fa28ed64caf65a54c078c4c69f1c929a66fe66218dd3d89fee4cf111180229f6fb2e83ac64bfeb92

  • C:\Users\Admin\AppData\Local\Temp\adlryhl.exe

    Filesize

    692KB

    MD5

    49749a8f6edfe937c4a5663e93baefde

    SHA1

    96cc7c74147a8f9c7d9c74883a620454f1343824

    SHA256

    d21769621e3c6d8b2d9317a3658beb8a5e86970fbbdd0cd14e14c290e42f32e7

    SHA512

    a539196f4cff02544be86c4b1e49e55adcb41d452105cabde009ac6b9d9c00c8a5c06b32b1ff3d829669ec53719d0979a585195a97e682a0900f1b2a3ca1fe7a

  • C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

    Filesize

    280B

    MD5

    f03460c10b1089594e3fec9c0c2d5e55

    SHA1

    ac2ab13194eb03fbaa2065a8fab6ef7d9a512bac

    SHA256

    5c30d62af04a0e8fbdaacb0212ae76a7414cd0712f1e99b782646da843c919b7

    SHA512

    96b0d57dd2957b07a2aeae1d0225a9b1958b5d68227e1befda8ed180dbb81c58014f21f580209b6732fc086260681647dea5e47da23b2b0ca453d8037b273358

  • C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

    Filesize

    280B

    MD5

    5fa30ca03c631191b8791a1d84b6a660

    SHA1

    55c4862850fc10cfdd0da3f62e3a2f4a4eebe9bf

    SHA256

    cc37eb15adcca28a1d1a9016c31b58d6845f621bac2bc01c6694b0aabda754fa

    SHA512

    137585c8e6e44dda3f1d88156b080b54da3ce8ae911cc5c3577321502c7f3c7a148aee6700266dd0536be966a883503383a8df51b56c4f8c186bbfc71beb32b0

  • C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

    Filesize

    280B

    MD5

    0f21d765675e4deabd3175d41e3d7e8f

    SHA1

    97e223d70da459a1c6d4d09600b25ef5f1035306

    SHA256

    77d5c78dd5d0f712c1b417d264932e93d1645385efe4c93b7e31899fa83139f6

    SHA512

    6f23e8edcf77592137d3584baa74c401393dd4fc072906a797acc129440558ec725f088c878a5db9fffbb491367a9dd437098b5319be39ae6af019eed6979271

  • C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

    Filesize

    280B

    MD5

    ded9f0a31880a09ed34f5db1ba1d89e1

    SHA1

    2a8a188fa46b6deb795bcb46ae6b9f9abd59f656

    SHA256

    3ba2bd6db8bf7e9683aa70f5f051e7bf68c4dc6e67d9e2fbe0c4149e1fd3b842

    SHA512

    691d7de661fc78fb25868ed4d5e582f2ee180b469e06f4f0a386a27b645bd5b2cec7b7c2c33906f0a0a807297b1e775ee5dea890bf6bbf7f4469017f09d28a3b

  • C:\Users\Admin\AppData\Local\ebddehfkkrzhbmwnlvsuuvy.bbi

    Filesize

    280B

    MD5

    2d42debf477c254ef115f05543250fde

    SHA1

    f788aec91522d998cb0d67b1745ff8b628410fc5

    SHA256

    d5f7456035de4c36168b57d912b2f9f50c564f2bcc4ceeeeffda00a2a8790275

    SHA512

    c0b1b39a57731f318b817be2a7ce553068fd16853749f0e6a56c93d54f7bcfd44098c8638b19e8be7ea4fa42d9aee32fd01066534182353983ba82daa9b3ff95

  • C:\Users\Admin\AppData\Local\rzmxjxgwhzslqmhjsnvitftcsdvohmidfo.rep

    Filesize

    4KB

    MD5

    596413d7beaaa24a38703ae57c73756c

    SHA1

    a801d98a964cd4252ed70e8f543f3be42d536a87

    SHA256

    e674292dffd6c9e21dfad5926998d88ca831cdaebc79b844e1a0434a49080f82

    SHA512

    1ab4d0f3a5b22cbc8d289738d29479a743d7a8dbc13213ea6f894e20285013ff9b4f7d364e026f7496b1a62f2be51acd2645e724a4b139d12b0492070e08c01d