Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 03:33
Behavioral task
behavioral1
Sample
6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe
-
Size
1.6MB
-
MD5
6ea40c2d02ba5d8f0eec8c3776160050
-
SHA1
773b915271faec00d48d469130dd25bc305b5a80
-
SHA256
1da94573936cb39e711d0756429bbbc73ac80183632aeebeca54156ad24c6186
-
SHA512
46166ae388de55a0623aa347eb9443d8d569043a06dc520b8f1f4b1a9dcc9a39536e0ed555fde71021a55d312c43c30c65fb1fd6a56187e85b4e558a61770395
-
SSDEEP
24576:zYxIAZwWIGiEz/1CUOys8vf9bHMbjshvE/R6njW+qOziufuGebc:zgIAZwWzNvO6flfmRktqDOuGS
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral1/memory/2208-10-0x00000000003C0000-0x00000000003EE000-memory.dmp family_blackmoon behavioral1/memory/2208-23-0x00000000003C0000-0x00000000003EE000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
pid Process 2280 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2804 MLclRLRrUZ.exe 1240 MLclRLRrUZ.exe -
Loads dropped DLL 2 IoCs
pid Process 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 2804 MLclRLRrUZ.exe -
resource yara_rule behavioral1/memory/1240-49-0x0000000000720000-0x000000000072B000-memory.dmp upx -
resource yara_rule behavioral1/memory/2208-0-0x0000000000400000-0x0000000000706000-memory.dmp vmprotect behavioral1/memory/2208-9-0x0000000000400000-0x0000000000706000-memory.dmp vmprotect behavioral1/files/0x000a000000012280-12.dat vmprotect behavioral1/memory/2208-13-0x0000000002DB0000-0x00000000030B6000-memory.dmp vmprotect behavioral1/memory/2804-18-0x0000000000400000-0x0000000000706000-memory.dmp vmprotect behavioral1/memory/2208-22-0x0000000000400000-0x0000000000706000-memory.dmp vmprotect behavioral1/memory/2804-32-0x0000000000400000-0x0000000000706000-memory.dmp vmprotect behavioral1/memory/2804-38-0x0000000000400000-0x0000000000706000-memory.dmp vmprotect behavioral1/memory/1240-39-0x0000000000400000-0x0000000000706000-memory.dmp vmprotect behavioral1/memory/1240-48-0x0000000000400000-0x0000000000706000-memory.dmp vmprotect behavioral1/memory/1240-50-0x0000000000400000-0x0000000000706000-memory.dmp vmprotect -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\MLclRLRrUZ.exe 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\MLclRLRrUZ.exe 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe File created C:\Windows\system32\MLclRLRrUZ.exe MLclRLRrUZ.exe File opened for modification C:\Windows\system32\MLclRLRrUZ.exe MLclRLRrUZ.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2740 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 2804 MLclRLRrUZ.exe 2804 MLclRLRrUZ.exe 2804 MLclRLRrUZ.exe 2804 MLclRLRrUZ.exe 2804 MLclRLRrUZ.exe 2804 MLclRLRrUZ.exe 1240 MLclRLRrUZ.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 2804 MLclRLRrUZ.exe 1240 MLclRLRrUZ.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2804 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2804 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2804 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2804 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2804 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2804 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2804 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2280 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 29 PID 2208 wrote to memory of 2280 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 29 PID 2208 wrote to memory of 2280 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 29 PID 2208 wrote to memory of 2280 2208 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe 29 PID 2280 wrote to memory of 2740 2280 cmd.exe 31 PID 2280 wrote to memory of 2740 2280 cmd.exe 31 PID 2280 wrote to memory of 2740 2280 cmd.exe 31 PID 2280 wrote to memory of 2740 2280 cmd.exe 31 PID 2804 wrote to memory of 1240 2804 MLclRLRrUZ.exe 32 PID 2804 wrote to memory of 1240 2804 MLclRLRrUZ.exe 32 PID 2804 wrote to memory of 1240 2804 MLclRLRrUZ.exe 32 PID 2804 wrote to memory of 1240 2804 MLclRLRrUZ.exe 32 PID 2804 wrote to memory of 1240 2804 MLclRLRrUZ.exe 32 PID 2804 wrote to memory of 1240 2804 MLclRLRrUZ.exe 32 PID 2804 wrote to memory of 1240 2804 MLclRLRrUZ.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\MLclRLRrUZ.exe-auto C:\Windows\system32\\MLclRLRrUZ.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\MLclRLRrUZ.exe-troj3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD56ea40c2d02ba5d8f0eec8c3776160050
SHA1773b915271faec00d48d469130dd25bc305b5a80
SHA2561da94573936cb39e711d0756429bbbc73ac80183632aeebeca54156ad24c6186
SHA51246166ae388de55a0623aa347eb9443d8d569043a06dc520b8f1f4b1a9dcc9a39536e0ed555fde71021a55d312c43c30c65fb1fd6a56187e85b4e558a61770395