Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 09:04
Static task
static1
Behavioral task
behavioral1
Sample
b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
-
Size
92KB
-
MD5
b0a3abc04df94a2135663a77fc15ab50
-
SHA1
37f00e65f5936fc8de5ff0873b2292ad31277c7f
-
SHA256
8e3eb1029eda7cb03dd2fb85f7f77c51726534032a884a386774adbef2ffe561
-
SHA512
409e444870c597fbf7d875d20e9582d216bfe0257fa6aa3260ead7fe7e83699419f51cd39c52000b52989762999bdd13bbea17d91717d2576769b37c06691743
-
SSDEEP
1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FiG+sdguxnSngBNps07QJ:HQC/yj5JO3MniG+Hu5s07QJ
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 632 MSWDM.EXE 4648 MSWDM.EXE 4984 B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE 748 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\dev33F1.tmp MSWDM.EXE File created C:\WINDOWS\MSWDM.EXE b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe File opened for modification C:\Windows\dev33F1.tmp b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4648 MSWDM.EXE 4648 MSWDM.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1008 wrote to memory of 632 1008 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 83 PID 1008 wrote to memory of 632 1008 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 83 PID 1008 wrote to memory of 632 1008 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 83 PID 1008 wrote to memory of 4648 1008 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 84 PID 1008 wrote to memory of 4648 1008 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 84 PID 1008 wrote to memory of 4648 1008 b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe 84 PID 4648 wrote to memory of 4984 4648 MSWDM.EXE 85 PID 4648 wrote to memory of 4984 4648 MSWDM.EXE 85 PID 4648 wrote to memory of 4984 4648 MSWDM.EXE 85 PID 4648 wrote to memory of 748 4648 MSWDM.EXE 87 PID 4648 wrote to memory of 748 4648 MSWDM.EXE 87 PID 4648 wrote to memory of 748 4648 MSWDM.EXE 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:632
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev33F1.tmp!C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE
- Executes dropped EXE
PID:4984
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev33F1.tmp!C:\Users\Admin\AppData\Local\Temp\B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD59a07fc45f62687cc601d9c7a92d31bbd
SHA1be39fc0b610d4fb1b5a4a14f0da149ef91757438
SHA256780f1c5779b96560eff259a05b5d3c066ec6432c1b6b8d4a60316d71862e8122
SHA512c9c57df52b71b233171df6a2d052a5c2e73036c5e045005a6c5c70499f7119c3023946af54755d6363fa707c7e1446fb569ccfb11545afe5b96ce20da5c2abae
-
Filesize
80KB
MD5a587704ff11199aa99e958a49d6bfd35
SHA1ecd0936cf9adc9d2e6d379d68d34a340ca473da7
SHA256d97cbb9d5212b8af14afa8a218d5553cf9c912d1f743e4deedcfbbe482a68abf
SHA512ebf23a92898d8a4d2e2646a2b6a5aace8976d89651d154ca0f642baf0e750d24061314d953b6977b87cbce25a1a13c3a7b5b49a9eda54a677f20a9097fda9b67
-
Filesize
12KB
MD5897cc6ed17649490dec8e20e9dd7ffd6
SHA1cb3a77d8dd7edf46de54545ca7b0c5b201f85917
SHA256cfb6b16c6c7ee64111fe96a82c4619db26ea4bac0e39c5cb29d1181b8c065f34
SHA512b719f7b95f723d0563b270f1260d086168b118189ca74f2aef37e90ad55d66f5c261ecfb15f77e80af6a551587b966bf48818a6421350f8e86b8a5f59acbc2ca