Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26/06/2024, 21:19

General

  • Target

    116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe

  • Size

    1.3MB

  • MD5

    b7d5b22aaeab5b419389db0647ba4f60

  • SHA1

    f8aca4756c7cb1d843dd734ac5582e8540dab8e6

  • SHA256

    116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226

  • SHA512

    dc8b9112ae37b65d7371bde6d5a6e0aa2ddacdffb227c5ad3051e03cb40a586ee8699ddb3ce437c96804826d8ce32280455935be9731afb5a5d0c33332860b24

  • SSDEEP

    6144:gDCwfqDCwfyDDCwfADCwfyDDCwfqDCwfyDDCwfazhDCwfazrDCwfqDCG:g7q7yD7A7yD7q7yD7azh7azr7qb

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • Modifies registry key
      PID:2248
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2644
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:2832
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2072
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2028
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1964
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2144
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Users\Admin\AppData\Local\Temp\avscan.exe
          C:\Users\Admin\AppData\Local\Temp\avscan.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2592
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\windows\W_X_C.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1416
          • C:\windows\hosts.exe
            C:\windows\hosts.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1692
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
            5⤵
            • Adds policy Run key to start application
            PID:2004
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:2452
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1596
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1208
        • C:\Windows\SysWOW64\REG.exe
          REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
          4⤵
          • Modifies registry key
          PID:1732
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    2.6MB

    MD5

    7671d3e8940305e96cad2c4ea9b61f0f

    SHA1

    cbeae54174b41e35a6e711c4b014479d63f7e9ba

    SHA256

    ae830846ce6cbdb6d68cb4432eccaa0db2893a582606d87948d43b329aacd89b

    SHA512

    50c1789ef28ab5da5c5603fbd1d627a4fa4a7eaa070b1f9cab3a6ecbd4ee0dedbba493f0c4d9127022549d3205bb649dec5928eae5cb581102b35ec96b328126

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    3.9MB

    MD5

    5f217d2815b075362da4483c942d8df3

    SHA1

    fdacd36faab4b43c48fe84d33bf772b4d28fa9c7

    SHA256

    ad615e54b6440a8679eb13cf88db7e370ce34c9ac6132570f5eee3a19823f825

    SHA512

    6b75eff2dd2df4facb0eac84bd0d119097e905592ce155b6975a10be86ed00da38f211c4dd69d4c856611048e260d182f4ae4e1dc98d525b6cc9c6d2df7304b7

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    5.2MB

    MD5

    c7ab8442761528dd4dcbbbf0d6f59823

    SHA1

    f8c0e4599851b84f8ec9df677800f5609d811142

    SHA256

    a9d46091c4bc8c39e34484536986eb1549d69fd94ff0f9bb955f3fe160ee75bc

    SHA512

    674570c79e8b48e24c1f991ba341abd06b47c32d76485a8678cf230afdf32fb10d5c877ccb196ee7dc295e0f9d0f9c47049a74a1c974b65f40265b8108d9fe26

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    6.5MB

    MD5

    c42e232bd1cb2c4ff51bb58216c9e4e9

    SHA1

    6da52b20873453d936e44ecc544f5485b5be25d9

    SHA256

    699a1538b408cf204b0a504fc63dcfabb6e6a5b78e954b84b640b8d9f566baff

    SHA512

    7d59c15a455826ee7a96eb1fbd1136a9f9f69f57942a891943a3f250a3458f1df0726cc24d1eb57a1c3be974383c4eb9c32c334844d0fd891bdf50df7003cf61

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    7.8MB

    MD5

    a8b9850e60f66350788f7d42ac73fdee

    SHA1

    d354e630a6324e8385c690c3735b5d3fd3bdd550

    SHA256

    ea7387ec25fe8318f5aa8126d32615bc093ea0060fca6ded042106f98853809d

    SHA512

    1c2547e8da376765afcc5d8d6332c3e4c7121e58fd72b8829890358a38627b0c01dfc43a70231c18e3040dc78dbd71ff8e81e1551b9dca27138795a07a006232

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    9.1MB

    MD5

    09f00f2ac97d9a188c478b0b1dfd6094

    SHA1

    6956914cbdfe4ad56306af08d063fba6be211fad

    SHA256

    b1b455ab79700039721a023fbe5ca631fcf582410c3de5aa48bce2d548d33ec8

    SHA512

    c8ddc3ca94ece619505277e18be4711b650250cd0a708990dd3f5728553305adf005afafbae9971457713529422b9c5a8fc4874a2adbf0f58e3f1bbbffa2b9d3

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    10.4MB

    MD5

    99a6007dbc6b6fc316b971f271d70011

    SHA1

    4a1dac7174b603e3c2e7b6f31a0eb449eaef0207

    SHA256

    799024d27756a17905aef7303336c58850b95f868c3de92abe0d7653951ae65e

    SHA512

    26d5f3b00f8618585c364a99fc95012c394cd981931994c05cb0fa44e344910f44c4bbdff1f4c30c9c41dda72c09de582248a439d6fe5a6ad188313f47514083

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    213eeee0bf55b5002060609a41f54dda

    SHA1

    e4dcd3878c2ac69345e22c405dfe1035b6817dcd

    SHA256

    84e5623c8426cf9f7501e1fb0f83c4c3b1d55b56ea0502ef304fb711c84d42f2

    SHA512

    5ce9e9e476998b84805d76f45fcc1422f777061f7338c01b4f4cae71c0d0265b6fa55dfffe2eb5c37bc796b9ae6455bcb6a992e43add400bbb75f5056e311c44

  • C:\Windows\hosts.exe

    Filesize

    1.3MB

    MD5

    293394ad07858dfaf781659d8c4f14be

    SHA1

    46d4a2a7108b1ce1bb91bb34d3e9fe2668dc116b

    SHA256

    ca5e52ba2cb916e2a72972c912293813cec277ed134eb6d1fdbd9512fcffce34

    SHA512

    7a9bea0e9e45ee7a7aca0c0e01bfcd40d5c074484c77741e1975910ff5ca9fd8a72364546979aac310e6c4a67a8fb73e5ca3a174d949cacf9f7b05001fc7b221

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    1.3MB

    MD5

    4b3e2636686e61a13fec3d0316334dae

    SHA1

    97a8ccc15223f35ce6f60f9d365076795f6bcdab

    SHA256

    18b5b07188152b7e7149cbf105334a64b08071aa620184395d5b119ef2a2cd09

    SHA512

    9fde206dc34971ca76b076a0afbbe58b349fc74ad4bae1512025590229988d64c8281e9876435148e379c0221200dd72c021c02151d96bd7efc522087c0b967c

  • memory/2592-60-0x0000000000270000-0x0000000000280000-memory.dmp

    Filesize

    64KB

  • memory/2592-59-0x0000000000270000-0x0000000000280000-memory.dmp

    Filesize

    64KB