Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 18:32
Behavioral task
behavioral1
Sample
42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe
-
Size
4.2MB
-
MD5
42f7a8eaa7c7f56d1c5e894130788980
-
SHA1
51676c5d880bed1eb1b7d9023edb28fdb623ac51
-
SHA256
e84d44bedee6b09ddb6c1a3866d9a192ea1ab5cc84d1c0a1fe5f8e6d90079fdb
-
SHA512
e2a481725f6aa49f52dcb86fd3aae99b48d66066514a20d241492c87e4a765ec51d851d24459bee2f8bc4577bb49ef43f42bc995082d15421b7eb13c65c272e8
-
SSDEEP
98304:doILtJwb4X+nJitKyRyVMnY9wkr/cHvNrTMCS/WAPoWkXEMhYSDDhqAaj:eYJ3X+JMKyR06vrPNrTMC+voWkXOwij
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2668 ybe.exe -
Loads dropped DLL 1 IoCs
pid Process 2216 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe -
resource yara_rule behavioral1/memory/2216-39-0x0000000000400000-0x0000000000AF1000-memory.dmp vmprotect behavioral1/files/0x0009000000015c78-43.dat vmprotect behavioral1/memory/2216-45-0x0000000000400000-0x0000000000AF1000-memory.dmp vmprotect behavioral1/memory/2216-35-0x0000000000400000-0x0000000000AF1000-memory.dmp vmprotect behavioral1/memory/2668-83-0x0000000000400000-0x0000000000AF1000-memory.dmp vmprotect behavioral1/memory/2668-84-0x0000000000400000-0x0000000000AF1000-memory.dmp vmprotect behavioral1/memory/2668-85-0x0000000000400000-0x0000000000AF1000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2216 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe 2668 ybe.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2216 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe 2216 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe 2668 ybe.exe 2668 ybe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2668 2216 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe 28 PID 2216 wrote to memory of 2668 2216 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe 28 PID 2216 wrote to memory of 2668 2216 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe 28 PID 2216 wrote to memory of 2668 2216 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\wkeo\ybe.exe"C:\Users\Admin\AppData\Roaming\wkeo\ybe.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD53da2a1533302272f455435a72e57e05a
SHA14440df87134c10f7bccf51facaa2b60e3258da86
SHA256e1296798dc8ae98c67d13d0275452397383b7595c9245add60bf9edc1f07a60f
SHA51273b5686eae55b11a2364e0e163818738e88d8213caa06d5b6869f9d1e1a98e9ebb756cc3748737db960a17f2ff56b86cd78ef1d6df68ab2d21b76e1bb52d6c01