Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
14s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 09:04
Static task
static1
Behavioral task
behavioral1
Sample
b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
-
Size
92KB
-
MD5
b0a3abc04df94a2135663a77fc15ab50
-
SHA1
37f00e65f5936fc8de5ff0873b2292ad31277c7f
-
SHA256
8e3eb1029eda7cb03dd2fb85f7f77c51726534032a884a386774adbef2ffe561
-
SHA512
409e444870c597fbf7d875d20e9582d216bfe0257fa6aa3260ead7fe7e83699419f51cd39c52000b52989762999bdd13bbea17d91717d2576769b37c06691743
-
SSDEEP
1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FiG+sdguxnSngBNps07QJ:HQC/yj5JO3MniG+Hu5s07QJ
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2684 MSWDM.EXE 2472 MSWDM.EXE 2672 B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE 2500 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 2472 MSWDM.EXE 2472 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe File opened for modification C:\Windows\dev9415.tmp b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe File opened for modification C:\Windows\dev9415.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2472 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2684 2264 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 28 PID 2264 wrote to memory of 2684 2264 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 28 PID 2264 wrote to memory of 2684 2264 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 28 PID 2264 wrote to memory of 2684 2264 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 28 PID 2264 wrote to memory of 2472 2264 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 29 PID 2264 wrote to memory of 2472 2264 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 29 PID 2264 wrote to memory of 2472 2264 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 29 PID 2264 wrote to memory of 2472 2264 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 29 PID 2472 wrote to memory of 2672 2472 MSWDM.EXE 30 PID 2472 wrote to memory of 2672 2472 MSWDM.EXE 30 PID 2472 wrote to memory of 2672 2472 MSWDM.EXE 30 PID 2472 wrote to memory of 2672 2472 MSWDM.EXE 30 PID 2472 wrote to memory of 2500 2472 MSWDM.EXE 32 PID 2472 wrote to memory of 2500 2472 MSWDM.EXE 32 PID 2472 wrote to memory of 2500 2472 MSWDM.EXE 32 PID 2472 wrote to memory of 2500 2472 MSWDM.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2684
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev9415.tmp!C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE
- Executes dropped EXE
PID:2672
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev9415.tmp!C:\Users\Admin\AppData\Local\Temp\B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD53a5fa7a9bfd9df682015b59d4e14b65b
SHA16a123f8fda535a0b19737015aa797960d1f2c3ad
SHA256bfb7d1200e8d45187248f18ed2fe6ffd775bc9fb4f38a5373b6e48004daafa8b
SHA5129f2d1b92476101d229914facbdfaf77e9bdea47ba1ccd43be5fdfd6dd42bf00caf2c07f4a9036363d4cf9fe0f80f0f747e8523e660279747eb60ad988000ea7a
-
Filesize
80KB
MD5a587704ff11199aa99e958a49d6bfd35
SHA1ecd0936cf9adc9d2e6d379d68d34a340ca473da7
SHA256d97cbb9d5212b8af14afa8a218d5553cf9c912d1f743e4deedcfbbe482a68abf
SHA512ebf23a92898d8a4d2e2646a2b6a5aace8976d89651d154ca0f642baf0e750d24061314d953b6977b87cbce25a1a13c3a7b5b49a9eda54a677f20a9097fda9b67
-
Filesize
12KB
MD5897cc6ed17649490dec8e20e9dd7ffd6
SHA1cb3a77d8dd7edf46de54545ca7b0c5b201f85917
SHA256cfb6b16c6c7ee64111fe96a82c4619db26ea4bac0e39c5cb29d1181b8c065f34
SHA512b719f7b95f723d0563b270f1260d086168b118189ca74f2aef37e90ad55d66f5c261ecfb15f77e80af6a551587b966bf48818a6421350f8e86b8a5f59acbc2ca