Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 21:19

General

  • Target

    116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe

  • Size

    1.3MB

  • MD5

    b7d5b22aaeab5b419389db0647ba4f60

  • SHA1

    f8aca4756c7cb1d843dd734ac5582e8540dab8e6

  • SHA256

    116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226

  • SHA512

    dc8b9112ae37b65d7371bde6d5a6e0aa2ddacdffb227c5ad3051e03cb40a586ee8699ddb3ce437c96804826d8ce32280455935be9731afb5a5d0c33332860b24

  • SSDEEP

    6144:gDCwfqDCwfyDDCwfADCwfyDDCwfqDCwfyDDCwfazhDCwfazrDCwfqDCG:g7q7yD7A7yD7q7yD7azh7azr7qb

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • Modifies registry key
      PID:4828
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3612
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3528
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
            5⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:5660
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3816
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              PID:4572
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:3512
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1684
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:4856
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:4036
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:3104
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2340
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:5944
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:5756
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2200
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4932
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:1828
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\avscan.exe

      Filesize

      1.3MB

      MD5

      235a7cf05fdbf8e180fd10a026250010

      SHA1

      4fc1e5466ed9f84cb177e51765f36a849a828f6d

      SHA256

      228fd3806c8bf9f6c017f61f48dca787844a8781ecaf69bd2770cd67b7bf39f7

      SHA512

      dd62a108df38cd542db4d2dca4654e7b3f2a6e5aabc17e61063b8b03f6805c9fbf33656fcbb0c4cabbc36f6450d56f2fc9d4978b76f9a1333c4983ad50dd210b

    • C:\Windows\W_X_C.vbs

      Filesize

      195B

      MD5

      1b97fc0bf80f44c04514817b1c7449e7

      SHA1

      1b32070bd87946ce42e7c3e49a47e282b2622852

      SHA256

      e756c1e489a198dd4dd1536efb045f4a14054e7902931f6af0cf13343f60cb4c

      SHA512

      be89f25cf5ba8635dda55c20c249233c68a488d9a76f73f4a259dc994c26938b58a57b67f16d6ce477213b27f19bdc3ca6e43443925fa218f58418e128eb7fc2

    • C:\Windows\hosts.exe

      Filesize

      1.3MB

      MD5

      63974865ff2681c0eabaf0993bce6445

      SHA1

      5744993b660e9f482fee520e044d4d04bb1fcd75

      SHA256

      b9a0a44aa5d7f6f34c6649e55ecc7815843942a7ee51a5e6d0154e899a7adc5d

      SHA512

      d9593305e83f3e13218f87d22cdd8edef044362774399b5e3e568a3dc78480247d0a5f14114bb386a75ba5db5a58fe7468cedd8d6ff3005dc5e074859314eac8

    • \??\c:\windows\W_X_C.bat

      Filesize

      336B

      MD5

      4db9f8b6175722b62ececeeeba1ce307

      SHA1

      3b3ba8414706e72a6fa19e884a97b87609e11e47

      SHA256

      d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

      SHA512

      1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b