Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 04:27
Static task
static1
Behavioral task
behavioral1
Sample
7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe
-
Size
1.0MB
-
MD5
7ce21e23096f7be6e7d68f316759d800
-
SHA1
003795d3436babe860980dbb592a6bac2ca3f88a
-
SHA256
6097d17d5ede804d2ff1440582ba9e90344e5d9add0ade81688988569b87fa25
-
SHA512
0f26e1ac49c1e8cc1f70ed3695c465703c797fd20bd9418d2eabcf28886ab8278394c16246309f65a15a2cffb444168171ce15d603459627701b69063cc06e39
-
SSDEEP
24576:tFZnpgDk9X1oTdfcuD+BCiTEfilL++mMY:trnwI1oZB2dcevmMY
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2164 created 1232 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 21 -
Deletes itself 1 IoCs
pid Process 1232 Explorer.EXE -
resource yara_rule behavioral1/memory/2636-23-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-31-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-35-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-37-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-36-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-89-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-90-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-91-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-92-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-94-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-96-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-97-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-95-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-99-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-101-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-102-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral1/memory/2636-104-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2164 set thread context of 2396 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 28 PID 2396 set thread context of 2636 2396 svchost.exe 29 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mac.txt cleanmgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe Token: SeDebugPrivilege 2396 svchost.exe Token: SeDebugPrivilege 2636 cleanmgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2396 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2396 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2396 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2396 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2396 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2396 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 2396 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 28 PID 2164 wrote to memory of 1232 2164 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 21 PID 2396 wrote to memory of 2636 2396 svchost.exe 29 PID 2396 wrote to memory of 2636 2396 svchost.exe 29 PID 2396 wrote to memory of 2636 2396 svchost.exe 29 PID 2396 wrote to memory of 2636 2396 svchost.exe 29 PID 2396 wrote to memory of 2636 2396 svchost.exe 29 PID 2396 wrote to memory of 2636 2396 svchost.exe 29 PID 2396 wrote to memory of 2636 2396 svchost.exe 29 PID 2396 wrote to memory of 2636 2396 svchost.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetwork -p2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cleanmgr.exeC:\Windows\SysWOW64\cleanmgr.exe3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a