Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

4c312c136c...cs.exe

windows7-x64

7

4c312c136c...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c312c136c3d3630e6a7819073151abe2bec245e293fa02c864d455a8c5362f4_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    cd5e3e4dae1c6a68f46963b0feb76770

  • SHA1

    d2bac6409ec52448379093ba990f4edde2624eb7

  • SHA256

    4c312c136c3d3630e6a7819073151abe2bec245e293fa02c864d455a8c5362f4

  • SHA512

    b5c9596501801e896d6a49e8f65d0ecc5a721bfc4e5530d468560a9112c0623175012b7acfe18594fe8d0a647e2b89a9c20380305f14a78f2d824a329cff121e

  • SSDEEP

    12288:qCMYGmkOqYYf01bInqzHWI9WFEeapp3TXn8YoWSXLGzEoqAb8/DjUHhsAennZ5/I:qCmIYSbEDJUrTDw6aZWjvFtta8BuOh

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c312c136c3d3630e6a7819073151abe2bec245e293fa02c864d455a8c5362f4_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4c312c136c3d3630e6a7819073151abe2bec245e293fa02c864d455a8c5362f4_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\sQuAx.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Task Manager" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2720
    • C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe
      "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe
        "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3068
      • C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe
        "C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sQuAx.bat
    Filesize

    170B

    MD5

    e612e66a93150f09e419dc23aa6ad30b

    SHA1

    aac69550ea153ff1b4550261675221c144b2da54

    SHA256

    c505222bbd299a60df2b8c9049866bc49e355f117a12f55fb1f5406d882f14ce

    SHA512

    51b236bc6b7c02a7babf61a1918a8f554f3d69762051943c8f712a68a7c1494e0a979efd6ebe49f1b4daae47d0e4c12652dcb16ac3e500565ba2dcbd16764e9f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows Task Manager\taskmgr.exe
    Filesize

    2.6MB

    MD5

    595876b449f8cf940e16806c21d6ed5d

    SHA1

    506308b49404462435890ab302f627c4717d0dfb

    SHA256

    aa45311bf4b3d01138ac077175a47e261088182bba0eabbca07a8ae2363276f3

    SHA512

    85a9fd522b96a0ff1cea84f561a263ec9b3595cdcbaa1cabdc22805ef7ae6b072fbcd44c0d9a1e018c10c98ccc0f39daeb1723e609c1dca8118b7428d0aa5345

    Download Submit

  • memory/1924-0-0x0000000000400000-0x0000000000699000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1924-43-0x0000000000400000-0x0000000000699000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2600-49-0x0000000002B10000-0x0000000002DA9000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2600-44-0x0000000000400000-0x0000000000699000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2600-58-0x0000000000400000-0x0000000000699000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2692-65-0x0000000010410000-0x000000001046C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2692-50-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2692-52-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2692-56-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2692-66-0x0000000010410000-0x000000001046C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2692-72-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2692-55-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2692-53-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2704-62-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2704-61-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2704-57-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2704-76-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download