Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 20:13
Static task
static1
Behavioral task
behavioral1
Sample
e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe
-
Size
73KB
-
MD5
e877518128cf87d1ba0331e86fae93c0
-
SHA1
e6636ce3d518aa5bd1917be328a9dab032fcedb4
-
SHA256
9e8123b7355aece1c48ad55899c17f0fd78aca0b877148f2895241a4776e8852
-
SHA512
af597456020183a9d4bc37acbdbddf2dc6d68b9a65ae6966ad97d5a151a36bbf252a3bf4c65ef578ddf0ac479e41342e4cc3817e52bef7876218fa434d1aa35f
-
SSDEEP
1536:gjIewPQsrz8haFpmqr76/Y3WLptb4yzwC132n6sLDDO:gjIpPN8QFda/2Yb4yzjsLXO
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2588 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2648 Logo1_.exe 2544 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe -
Loads dropped DLL 1 IoCs
pid Process 2588 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\management\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe File created C:\Windows\Logo1_.exe e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2904 wrote to memory of 3016 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 28 PID 2904 wrote to memory of 3016 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 28 PID 2904 wrote to memory of 3016 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 28 PID 2904 wrote to memory of 3016 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 2860 3016 net.exe 30 PID 3016 wrote to memory of 2860 3016 net.exe 30 PID 3016 wrote to memory of 2860 3016 net.exe 30 PID 3016 wrote to memory of 2860 3016 net.exe 30 PID 2904 wrote to memory of 2588 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 31 PID 2904 wrote to memory of 2588 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 31 PID 2904 wrote to memory of 2588 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 31 PID 2904 wrote to memory of 2588 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 31 PID 2904 wrote to memory of 2648 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 33 PID 2904 wrote to memory of 2648 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 33 PID 2904 wrote to memory of 2648 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 33 PID 2904 wrote to memory of 2648 2904 e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe 33 PID 2648 wrote to memory of 2380 2648 Logo1_.exe 34 PID 2648 wrote to memory of 2380 2648 Logo1_.exe 34 PID 2648 wrote to memory of 2380 2648 Logo1_.exe 34 PID 2648 wrote to memory of 2380 2648 Logo1_.exe 34 PID 2380 wrote to memory of 2408 2380 net.exe 36 PID 2380 wrote to memory of 2408 2380 net.exe 36 PID 2380 wrote to memory of 2408 2380 net.exe 36 PID 2380 wrote to memory of 2408 2380 net.exe 36 PID 2588 wrote to memory of 2544 2588 cmd.exe 37 PID 2588 wrote to memory of 2544 2588 cmd.exe 37 PID 2588 wrote to memory of 2544 2588 cmd.exe 37 PID 2588 wrote to memory of 2544 2588 cmd.exe 37 PID 2648 wrote to memory of 2472 2648 Logo1_.exe 38 PID 2648 wrote to memory of 2472 2648 Logo1_.exe 38 PID 2648 wrote to memory of 2472 2648 Logo1_.exe 38 PID 2648 wrote to memory of 2472 2648 Logo1_.exe 38 PID 2472 wrote to memory of 2428 2472 net.exe 40 PID 2472 wrote to memory of 2428 2472 net.exe 40 PID 2472 wrote to memory of 2428 2472 net.exe 40 PID 2472 wrote to memory of 2428 2472 net.exe 40 PID 2648 wrote to memory of 1256 2648 Logo1_.exe 21 PID 2648 wrote to memory of 1256 2648 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a98B7.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe"4⤵
- Executes dropped EXE
PID:2544
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2408
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2428
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
265KB
MD54cc64235c6003981db1ea177c2b87212
SHA138502de6b6e9736e40c6b2123112453445961173
SHA25674e78dde7778e26c94f9ce2be244d2ee190f32974634758a1e4ff04cd9ef5c11
SHA512f15285baa9d7cff9185babd79a58450b7bb543abd29de183541f87a056ac80ca8c96e37fd0c487a6eae56092e49847aab279842642e4767c67e5087785d1cf55
-
Filesize
485KB
MD53ac7773258fe0684e8a28f3793a74ed3
SHA1316fba91c21ea13e4576a5eeec832fd585c31ca0
SHA2569f41dbbbdf4edcf63ba6262af0ae0d9a13874d0e008522af866f12f3e71b198f
SHA5128d2647018107b940fe80b5ab979570b9f255764195976272b8c2ee8640b0e91493d5e7fa598b4ce29bda8f87cf495c6c71fd62734d51761b04bb5127eb5b2b4a
-
Filesize
620B
MD57e29cf549f2f9dad6939943be653584e
SHA1223c6735608d8f24e00a7fef1bab1d3c7c4cab04
SHA2562b121977c411ab1bf92edfc33df0e1acab31b0d17a3fa16e7915acc61d27357d
SHA512df703fc810b77c92e78db97971ed95aa661a2ac54fa82e5fbfe437c5748d37c279a75e939d5ca53b9941055a3456abbd895c5bd2628c0cb5984b077f30f7af97
-
Filesize
33KB
MD5f8b1348f68d380115f37de85ca68d3b4
SHA11e2977c49dd8d52d1db3c1f14e32205c7efacfa6
SHA2569cbd9a06aba24333d873174149ca30fe5c64c767586cec1a3c833eb6880c53ee
SHA5120de9ddb66b52baa31a57689f781676839ca45a7d5e9cde9f57e96aa5c2c1118187dd1948e719b0c0fcbbe01da5c3ecdfc7caa6f32ba2dad940a4b2db668a384a
-
Filesize
40KB
MD5631ddb32cedc061b61ddc87286d637de
SHA14b316a4dcd624e1d66f520900800d3944c805fdf
SHA256c75da8fb42e45cd655454114f62c3b039a20cf4ffa58658e7d7eebb69e50e3ea
SHA512a4ef8392c6d75a3fd31f0cb1aff66ea12a37fecf131547d78607331eca6406348c1964318f5baa1a20289fb5930ece7ab64b7c490a002ef8ef7c16b2a9913a77
-
Filesize
8B
MD5d970a2bfcaa076939c06270d1a48dec8
SHA17a558f4d64c3e98bcfd2af83f28e6fbd207a39e1
SHA256bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44
SHA512ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2