Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
730557fb203ad79ff24df1ade72fc7b0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
730557fb203ad79ff24df1ade72fc7b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
730557fb203ad79ff24df1ade72fc7b0_NeikiAnalytics.exe
-
Size
79KB
-
MD5
730557fb203ad79ff24df1ade72fc7b0
-
SHA1
889a82386acc496d8aab35afef111022b8b42eae
-
SHA256
78545cd61d5a0ad4016b1f7e239541f8d69ff7c3e34e632d63da24636a0a373a
-
SHA512
2bf0a1fb6550c42f556e2e5980733a2e86802913b5bdd7a2575b2890be82a608c9fd0ba3b12a2e9b044ddb75c902b5a579faf010cac123de1091a66286175c62
-
SSDEEP
1536:zvdpDHWjMdEtZeZv9OQA8AkqUhMb2nuy5wgIP0CSJ+5yOB8GMGlZ5G:zvdpCIcmvkGdqU7uy5w9WMyON5G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1032 [email protected] -
Loads dropped DLL 2 IoCs
pid Process 3012 cmd.exe 3012 cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2172 wrote to memory of 3012 2172 730557fb203ad79ff24df1ade72fc7b0_NeikiAnalytics.exe 29 PID 2172 wrote to memory of 3012 2172 730557fb203ad79ff24df1ade72fc7b0_NeikiAnalytics.exe 29 PID 2172 wrote to memory of 3012 2172 730557fb203ad79ff24df1ade72fc7b0_NeikiAnalytics.exe 29 PID 2172 wrote to memory of 3012 2172 730557fb203ad79ff24df1ade72fc7b0_NeikiAnalytics.exe 29 PID 3012 wrote to memory of 1032 3012 cmd.exe 30 PID 3012 wrote to memory of 1032 3012 cmd.exe 30 PID 3012 wrote to memory of 1032 3012 cmd.exe 30 PID 3012 wrote to memory of 1032 3012 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\730557fb203ad79ff24df1ade72fc7b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\730557fb203ad79ff24df1ade72fc7b0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c [email protected]2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1032
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\[email protected]
Filesize79KB
MD546bb278189f23a0a3451bb9ff7612a7d
SHA1c0b6c28c74a8d500dc9ad64adcc83834e2820402
SHA2565749a09ad16c88570300ee28c7b0867c57b59fa7c5f5164495c9895d6d174b20
SHA5125d5056474edb0e3493bd28b0ca95266bcfca6a920823fbe58d6a8491643e317350035d9fe2da65b22b461a40b828205b5497209e9948a98681f6cb6a0442ed31