Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 06:29
Behavioral task
behavioral1
Sample
933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe
-
Size
3.7MB
-
MD5
933b539f4cc44ebca85d33788b168fa0
-
SHA1
2b768fafe47f28bad6b218c899a8a9bde3c4e8d0
-
SHA256
b73a5ad53c0537e2c2b1ffdd3378c553dbdee4d3cdabc4cfa779646af59307d9
-
SHA512
88135a0ee9efcd071676d4b867f1a6cef602ccadb1517acb3820f9dbb98775a08b97d3c72fbb93dc638ce409403ea5640861741598362516d3a198fa76216898
-
SSDEEP
98304:y3rWjizNfd71aofFsZJzHBKCVKpah3+R1icFW9w1/eNJ4C1:yWji9iTBKpT1icFb/egC1
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 1376 gjsfhjk.exe -
resource yara_rule behavioral1/memory/2192-0-0x0000000000400000-0x0000000000994000-memory.dmp vmprotect behavioral1/files/0x0033000000014b63-7.dat vmprotect behavioral1/memory/1376-9-0x0000000000400000-0x0000000000994000-memory.dmp vmprotect -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\gjsfhjk.exe 933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe File created C:\PROGRA~3\Mozilla\eurgebe.dll gjsfhjk.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2192 933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe 1376 gjsfhjk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2908 wrote to memory of 1376 2908 taskeng.exe 29 PID 2908 wrote to memory of 1376 2908 taskeng.exe 29 PID 2908 wrote to memory of 1376 2908 taskeng.exe 29 PID 2908 wrote to memory of 1376 2908 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2192
-
C:\Windows\system32\taskeng.exetaskeng.exe {5A427E5C-F009-4146-9259-2346746A8C52} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\PROGRA~3\Mozilla\gjsfhjk.exeC:\PROGRA~3\Mozilla\gjsfhjk.exe -tuxiydl2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD5bd70530cc8a2e963f19871a5c9003fe4
SHA1f5aefff6e5cc092639520b4e5981a470c4767bd1
SHA256660b7a2c18ecfdac826ed9a2f6294b473a339297ac5f0b890c82088a38d012cc
SHA512e646d2094051c5c154d353d132ca5b23759b329d283feb2dcf03612521913d3a359c336e18b11f68c94223b660db06fb8ce4c77790d76b7fea3a4cca9d7618a4