Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

483070d969...cs.exe

windows7-x64

8

483070d969...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    483070d9693222699f5c0a4ca47fb24198b8f6b44295bd6ef1559b9c442ec61a_NeikiAnalytics.exe

  • Size

    352KB

  • MD5

    04fa6d8d01a6acb887a3ee37f26b27e0

  • SHA1

    003fc3fea83e186b80dbb16c41c9286150ac0464

  • SHA256

    483070d9693222699f5c0a4ca47fb24198b8f6b44295bd6ef1559b9c442ec61a

  • SHA512

    69393262df63f09b28a260668304431275dfa80a533f36f83fc31f7789efe33c25cbc91bfc6a293bac21914135239f2e082d26e3c0c08a206d2bc582b97c4ea8

  • SSDEEP

    6144:ntKe6YiDdv3m3mgKHI3HWTXceq1bbLmRHcAVgL8zhYrT4yvZDZll:ntKe6Zv23YemcR1bbLmRNO8zyrTDNZ

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\483070d9693222699f5c0a4ca47fb24198b8f6b44295bd6ef1559b9c442ec61a_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\483070d9693222699f5c0a4ca47fb24198b8f6b44295bd6ef1559b9c442ec61a_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\spoolsv.exe
      C:\Windows\spoolsv.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\concp32.exe
    Filesize

    354KB

    MD5

    cf53659eb5fe2d739bf167bee4ae7172

    SHA1

    9eddf4e37d23246ee01da70fb2bb070d9e3eb350

    SHA256

    16de04db96adea570798a03d9f2a34e9e024dfd4799ea1839f71b83aa43f4d13

    SHA512

    45ee6707bf43bb2f7698d37e418dbc1760934a229bbbd856df8bf0470f3967fc8adc4185fdd5f31facc314a1a7e3bcd03c5375803eb8e2b0adc3317fc07d53b1

    Download Submit

  • C:\Windows\spoolsv.exe
    Filesize

    356KB

    MD5

    bb6d795785c639cd036f9a538882e9f5

    SHA1

    ef528052c920f74266f942c3cc79fa4b33bdbe1b

    SHA256

    2b4b53c89d2833360b85cb06ab6bcdbc4c2272da6e870cac9aa6b2b5bd024fe3

    SHA512

    ecbedbbf4ee4b7e78dc598d0c250b7de588da71229da852d1f5af323435b066027f3efb8683e359ee0406f093bb6b72d7d1e35cd8747844f0b5eb263ee20b01f

    Download Submit

  • memory/1664-0-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1664-14-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2364-15-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download