Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
27/06/2024, 06:04
General
-
Target
59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
-
Size
88KB
-
MD5
ef5cf99c88e6f65cd2f435178e520900
-
SHA1
375971a32dc79e4ba787373948c4821d427af855
-
SHA256
59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd
-
SHA512
f8a2c319a22f62a6a9c923c371a86395c722213240250b0fe2ef52a0f62241755082a6358be3269b53804e1c7132f199d288f2859b5cd2dc9fe5a321641bb9e8
-
SSDEEP
768:uvw981E9hKQLrow4/wQDNrfrunMxVFA3r:aEGJ0owlYunMxVS3r
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E8EDD126-8684-4805-8DDF-85CE668191AE}.exeC:\Windows\{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exeC:\Windows\{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exeC:\Windows\{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{A926B710-39A4-47ab-A306-6CAF6FC02954}.exeC:\Windows\{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exeC:\Windows\{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F2D923AD-EB72-439a-882D-9D628598EA0E}.exeC:\Windows\{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exeC:\Windows\{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exeC:\Windows\{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exeC:\Windows\{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exeC:\Windows\{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}.exeC:\Windows\{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8AFE8~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{478F3~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CA768~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D3FDF~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2D92~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E90A~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A926B~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B681~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F41AD~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E8EDD~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\59209E~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5688d3f42374787bbef2bfd59fca95e34
SHA1b6849dda124af20081837816b4c2def71fbe2591
SHA25612c2513fc4ff892e59147726d88e1953ed0402bb3b05ca5982bfc61c0ab3c65e
SHA5125c06f5fe5f632267dfd0c7bfe483440263da28931e2cbf1b728bce9be0089ab3dda117b8ecc9c462ed8e697099ca67302490ca1251ff665d2d29128886dd6f2e
-
Filesize
88KB
MD54ebd0b66b9cddb0357cbe21ba0babcf0
SHA1af59efc34f36ef48fe9545546e4739c88ba7638b
SHA256180a8b5d512016c796be0935ed1a32c41f36f5f7a3091f93573e0b33aac488c3
SHA512c08df32179bca582f47b68e61054a8d3d51b98214e0dab9aff0a3abe423fe9edaf5460ef8010f2a964662bc8d4f8cb9e286fba1d22b9cd4c93ac7d1054bf1274
-
Filesize
88KB
MD5173f7fe0e6d305f4f574860c03d36777
SHA18062d939178f9a550fabe68f8a0cd6a7bb31deda
SHA2562f4f55fd7bfae6daa51639ede667fd2bc218307e79c1129056ddb2578da11a70
SHA512ae43e1479c205de1ff4d6a2616354061f437c0bee3057683e3e116e8f490729eb3cf7061b32fe63513aa61f3c3d1959a45f7de63eb97d89f39e008d19b0adb4a
-
Filesize
88KB
MD53938e694ec37c5765768b4c85711276b
SHA1de0df57ba30ad4987e83c4caca70cd05725e73a8
SHA256eecbde74eacf2d5be9094e7593d3f4022bd4881651bf0098c20db996f39983ec
SHA512e0107d344ef52241e1abd6879ed21c047d9d68413f700cf2674983f5fd2a0f1182c45d104f0048e8e1e6edb1dcd5b350c15f24c4c7afde5d83ad5e30cd73a4e2
-
Filesize
88KB
MD51575bd61ac9f1c7030f9d64eec2291c3
SHA1675c5389c3783d7c6d5b6f6fd42d01d9cf3726fb
SHA2565f06b7b4814f4f0478adcb7e75cae7f4a14607cc097d6ab845804d39dc7e737b
SHA512631df5fc51e3b1752371c51dd37bd31043594de78b23f736b8d3ab08c3f9be2e3de1405630eac952b4a45dcf9fd9bdf0c91962b2a5dbed0bbdf78bb35872b89d
-
Filesize
88KB
MD5c8a1e0bc14df44cda37ef697e0ab0b1d
SHA1edc52a1d770cfd3563a86104d247322a73f8e020
SHA25630146517b0515b3eaa432689368db34fec529e0a0fbbfac98a27682b4771cf5e
SHA51224a788edbee17953e613a46575803c8bc3ca8e481acfd019d42ac3a3680b1edf4ca087dc577ec551244545966607881a4a591ad56ea1f449da5f67cdc91a3560
-
Filesize
88KB
MD5c1b1af80c9783e73511cb5b44818b552
SHA14cf43ce7bfe5883f0056197ad4a19371a28ccad5
SHA256e489605ed3f7f88831c1dcd505bb05ee1eb55f770f060995a2944924b7376942
SHA51213433881cb842eadce6881864d09cecc5f06acaccafdf47e580a8027ce7c53568b8aec5259b9cd1d4a35cf6b7a91d517ee6d5607b62d1187b5f9bd53eafcd9f7
-
Filesize
88KB
MD5a5f1de8e7107a001a764294c87f2ed8e
SHA161f905797ccbafd1026ee6feed44668fa4504805
SHA2563878c205a6d2bc969a295e706df00f2a200ff9135f6dd4408755e9c0ebfc02bb
SHA512fb548780422d2dcb417be0fd21128bb156e791368a3b2406eae700cbfefd07b70c6def37914ae9756a6ee408b07064dc1daf4a208831c5ffadd8865f4e393a39
-
Filesize
88KB
MD5ca098cc19898ff9750eb8db2b82b737c
SHA10f9e115014dd03895f457397a277461005ce2627
SHA25613144ad65e8b2c90de07e7c091c88a3158b14ea6b7caf1fcbc043a04627ee892
SHA512c664eb06b9fc7aada5e30750a0d48024dae43c934345081eef16768c0386c88cebe5d16e24e89e70d60d32bbf5f6b056fc030f4ab64637712c9333ffa65a3260
-
Filesize
88KB
MD51a586837b80206fdce8d3d081552a47c
SHA1aa12f2c174d107e325936ef0ec6fa1211108ccdd
SHA256ce004d9f7075acb2b2f189919563aebf7f9e0da3f6fd6a223b19b4888c8e3080
SHA51290e75d0b9583eb697f55a34af7fd3d32db0ed7f69b5f1541e31634261a9cfdba2b9a0372a451ce881b64ae5f648ef049207505e491121e6f3b46ee526ef7e4ce
-
Filesize
88KB
MD5684a183c517e8bbd95c91a24cccf764d
SHA1e07f6aff30f74cd8561f6d1a2e31bb6121d275a5
SHA25672b0d4151b2ea1a13c664d9a23ba89c3ed4bd3e0e69841201a0ff7fbc6dce34f
SHA51258759a22929f835c9995d9fa72443efbab44d753a27cbab29bb78d6be7c6410d0c03587805b3d12366beb430340726b19fca4c32132ad2ea95b71cac1fec40b3
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB