Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 15:41
Static task
static1
Behavioral task
behavioral1
Sample
783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe
-
Size
3.5MB
-
MD5
783304afd72c993aa63411e471c58a10
-
SHA1
7b0bf45e24eee94c78023ee01e61f19bd76bb766
-
SHA256
064445b7a7dee55746f3ba1bdaaec5ac1e35cab7e015fd399e36a38cfa7e2a03
-
SHA512
e2a02830feabc079003ded9a9e4fafe7e8e0f7a117c7bbc3cade954ff2eb5e8b0928483001b67812e7654f5f1c5bacad482670592307bf42ffe539f18348c92a
-
SSDEEP
98304:I/GNO3nlp5APPArknZvcrzQSxD8VDuk6T:I/Gsnj5AUknWrEQQDufT
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00060000000155d4-76.dat aspack_v212_v242 behavioral1/files/0x0006000000015c3c-132.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe -
Loads dropped DLL 22 IoCs
pid Process 2292 783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1656 cmd.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 1372 #_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2292 783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2484 2292 783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 28 PID 2292 wrote to memory of 2484 2292 783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 28 PID 2292 wrote to memory of 2484 2292 783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 28 PID 2292 wrote to memory of 2484 2292 783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 28 PID 2292 wrote to memory of 2484 2292 783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 28 PID 2292 wrote to memory of 2484 2292 783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 28 PID 2292 wrote to memory of 2484 2292 783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 28 PID 2484 wrote to memory of 328 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 29 PID 2484 wrote to memory of 328 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 29 PID 2484 wrote to memory of 328 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 29 PID 2484 wrote to memory of 328 2484 _783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe 29 PID 328 wrote to memory of 456 328 cmd.exe 31 PID 328 wrote to memory of 456 328 cmd.exe 31 PID 328 wrote to memory of 456 328 cmd.exe 31 PID 328 wrote to memory of 456 328 cmd.exe 31 PID 456 wrote to memory of 1656 456 cmd.exe 32 PID 456 wrote to memory of 1656 456 cmd.exe 32 PID 456 wrote to memory of 1656 456 cmd.exe 32 PID 456 wrote to memory of 1656 456 cmd.exe 32 PID 1656 wrote to memory of 1372 1656 cmd.exe 33 PID 1656 wrote to memory of 1372 1656 cmd.exe 33 PID 1656 wrote to memory of 1372 1656 cmd.exe 33 PID 1656 wrote to memory of 1372 1656 cmd.exe 33 PID 1656 wrote to memory of 1372 1656 cmd.exe 33 PID 1656 wrote to memory of 1372 1656 cmd.exe 33 PID 1656 wrote to memory of 1372 1656 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe" /start=1 /path=2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /c cmd.exe /d /c cmd.exe /d /c "C:\Users\Admin\AppData\Local\Temp\#_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe" /param=13⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\cmd.execmd.exe /d /c cmd.exe /d /c "C:\Users\Admin\AppData\Local\Temp\#_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe" /param=14⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\cmd.execmd.exe /d /c "C:\Users\Admin\AppData\Local\Temp\#_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe" /param=15⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\#_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\#_783304afd72c993aa63411e471c58a10_NeikiAnalytics.exe /param=16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1372
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD501fe6ff3d2664e3ddaf98724b0639f89
SHA140c535f27ff017e338f5c376a11403cdf65183df
SHA2567c85adeb7727f0018dd042ad8aa141f9f4af1767ef0fb95116a2e98b76b28ba4
SHA5126ff58234edca4c5246478b6f21bac899fa0505fc7d32e6a8aba5fd66de439560da1c3eb53c0880fc08559308d1675cdb6a5ca1c2991b3957087ad6e918b7d3d9
-
Filesize
359KB
MD5950afc3a4658d36700f4a51c70a6d706
SHA165ede985830eedf771aed113b56e8be255e14af2
SHA25632de26d099d8f0b0d2945c9ef2d47f5f97a23ee8146a7318846510e7e9382525
SHA512ae529e7960bc7fd8a9940e039cbfb2b6a8d145dac52ae61751f9774b7866a53640ae48e18e6d0d4906f234ab3702b14cc47a26b44789cca697caf6788684a860
-
Filesize
90KB
MD5529addc01ba0b31f89ba74518837f03d
SHA1770bd27e1faa4a2a7ef4a15f53b95661cc314df4
SHA256f01d831cbd676d7acdeba923bd3f03af733e7dcf83611e84c17561b6ac9412dc
SHA5120c171ec9456afb6701d2e1accf408a0e36db28977faeee8492e7ba9cf6a1c6d0677b28b3a123264ffe87f366a852698906a8519d6a5c436b500688bbc7dcee82
-
Filesize
3.5MB
MD5783304afd72c993aa63411e471c58a10
SHA17b0bf45e24eee94c78023ee01e61f19bd76bb766
SHA256064445b7a7dee55746f3ba1bdaaec5ac1e35cab7e015fd399e36a38cfa7e2a03
SHA512e2a02830feabc079003ded9a9e4fafe7e8e0f7a117c7bbc3cade954ff2eb5e8b0928483001b67812e7654f5f1c5bacad482670592307bf42ffe539f18348c92a
-
Filesize
4KB
MD5a748a0a7a7eb56ad356cce710968a380
SHA1a8cd1e978a4b481f410fc5205ca5a29cdb2c22e7
SHA25633409ceab861b0164a9ec3a0395934cade72e2ef1f14a9468a604892b2bbcbd9
SHA51205433019dc827399b00195461fcc58f287d53b34fdeb29c5e402563f83e5e702ac8d9e0978ee87ed7c15dd26d7e76b37751f5d55dec49cde8ea74879dd0c3648
-
Filesize
10KB
MD556a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
Filesize
20KB
MD5e541458cfe66ef95ffbea40eaaa07289
SHA1caec1233f841ee72004231a3027b13cdeb13274c
SHA2563bce87b66d9272c82421920c34b0216e12c57a437d1955c36f23c74c1a01d420
SHA5120bf6313e4cb7bbdcfba828fb791540b630adc58c43aa4b5ba77790367d0f34f76077cd84cc62e2a2c98c788a88547f32a11e549873d172c5aa2753124847cd0c
-
Filesize
9KB
MD5e19264354099e4ecc11fabe7c83daa22
SHA1224e01bd004043bb7fa5a4b9af7e72fe971e16dd
SHA256dad73112811567680f6cd57918ed1dff059a4d29727e0007ea48393e81e4976a
SHA5128848c968dfb7af6fdabcedd215d63dc92c4947de105680f31403380c7daccc77aea0ac09abf25f90b073290950c70d70bebeb8748957e26ad80236bb59f20dcf
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
21KB
MD592ec4dd8c0ddd8c4305ae1684ab65fb0
SHA1d850013d582a62e502942f0dd282cc0c29c4310e
SHA2565520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
SHA512581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651
-
Filesize
989KB
MD5ee58e51a81c73589acfea3fa9cc3b7e7
SHA175b31d84094bcd04e459ed0ba03475c204022a70
SHA2567c167dcba0a6a996f739ee00628a52d7ed20442aaf64f51a408a3cc639375ee2
SHA51246bd806a910acfedc7abd0a2410e808a0ef2dffb899849e858fbe32c2be60e51dc85a058c4c64cb3515a866426d1b63534edd3ea1ea236dec593357b31ecd215
-
Filesize
372KB
MD5ed088e979436d402137c61d867b7877f
SHA1a45953dbcd3240ea6c312918da6810bba7218d8b
SHA25610fc289863394c60d735a1c5b79c0c065289e8f7fd3dcbffb92f0de5b1e0313a
SHA5121bb18fff68da23cfb61a2b9b6c149cb8a9c9bcf3c82685c74e75fdab84e764c023c574f971de6f9a42e4eefd0aa305e176df72abe5f04305f6e0ee163ea71522