Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 13:20
Behavioral task
behavioral1
Sample
ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe
-
Size
4.3MB
-
MD5
ea3fcad10e7360f86e32848574107810
-
SHA1
5c6c0e26b337cfb03944756ce7cede8be8576af8
-
SHA256
21297f29d97dbd948c68f37294f130e4a331e1438cd5fa2339d291a23e041449
-
SHA512
0c5bae4d0545c54e50e72bbaf16c6ce4eb5119bba055f259602d7dbe4421878f632c63c61f25f6384230d0a702e0ce0cffb3cdc0ef67342ff44ec9dbb20eb103
-
SSDEEP
98304:lqs7WQUP+Mxzy8RjJ+6qKgv9dAdw+EKnU3pO9uqeL:wsCQy+N8RjJUKO9dagRZOpeL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2796 zeoiu.exe -
Loads dropped DLL 1 IoCs
pid Process 2416 ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe -
resource yara_rule behavioral1/memory/2416-37-0x0000000000400000-0x0000000000AFC000-memory.dmp vmprotect behavioral1/memory/2416-39-0x0000000000400000-0x0000000000AFC000-memory.dmp vmprotect behavioral1/files/0x0036000000015cb8-40.dat vmprotect behavioral1/memory/2416-44-0x0000000000400000-0x0000000000AFC000-memory.dmp vmprotect behavioral1/memory/2796-45-0x0000000000400000-0x0000000000AFC000-memory.dmp vmprotect behavioral1/memory/2796-84-0x0000000000400000-0x0000000000AFC000-memory.dmp vmprotect behavioral1/memory/2796-83-0x0000000000400000-0x0000000000AFC000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2416 ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe 2796 zeoiu.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2416 ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe 2416 ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe 2796 zeoiu.exe 2796 zeoiu.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2796 2416 ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2796 2416 ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2796 2416 ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2796 2416 ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ea3fcad10e7360f86e32848574107810_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\opeu\zeoiu.exe"C:\Users\Admin\AppData\Local\Temp\opeu\zeoiu.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD5845cd78af716a31ecd3f0545cf6b44a4
SHA127016eda19b8da00b655d90b0c7b4bc6211c7149
SHA256a59ddd6cb1106ca47b83ba1eba4ed5f9ed72847c867a30a082741c69679816ec
SHA5120a76625fe654f6dcba5839d1568420a81b13c5fdb0e9d04406bea46822844925fbc3b34038fdbc78e8ebed413c286b71863ce20c5f8f85a6fd0660a23ddf75bd