Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 17:00
Static task
static1
Behavioral task
behavioral1
Sample
f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe
-
Size
62KB
-
MD5
f084041a5a6c875e977679e30a1edce0
-
SHA1
777490c2769746e56f8e58011b6d1cb2b7482d64
-
SHA256
5404a26308cb0193e3909167bd7b672155a40f390ac69c016b24076aebc7e319
-
SHA512
236e9b5e23f25449d753a4bd789bf2c69e21c4591ce9f26b745511b15abe24bd49dd5e757facd5b2146194b567abe4815b57aabe616ac17cd92cf9711eb97a64
-
SSDEEP
1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FBG+sQjkrDl9HNVl5S:HQC/yj5JO3MnBG+NkrD7HNVl5S
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2272 MSWDM.EXE 2548 MSWDM.EXE 2708 F084041A5A6C875E977679E30A1EDCE0_NEIKIANALYTICS.EXE 2704 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 2548 MSWDM.EXE 2548 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\dev1E98.tmp MSWDM.EXE File created C:\WINDOWS\MSWDM.EXE f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe File opened for modification C:\Windows\dev1E98.tmp f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2548 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2272 1728 f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe 28 PID 1728 wrote to memory of 2272 1728 f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe 28 PID 1728 wrote to memory of 2272 1728 f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe 28 PID 1728 wrote to memory of 2272 1728 f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe 28 PID 1728 wrote to memory of 2548 1728 f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe 29 PID 1728 wrote to memory of 2548 1728 f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe 29 PID 1728 wrote to memory of 2548 1728 f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe 29 PID 1728 wrote to memory of 2548 1728 f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe 29 PID 2548 wrote to memory of 2708 2548 MSWDM.EXE 30 PID 2548 wrote to memory of 2708 2548 MSWDM.EXE 30 PID 2548 wrote to memory of 2708 2548 MSWDM.EXE 30 PID 2548 wrote to memory of 2708 2548 MSWDM.EXE 30 PID 2548 wrote to memory of 2704 2548 MSWDM.EXE 31 PID 2548 wrote to memory of 2704 2548 MSWDM.EXE 31 PID 2548 wrote to memory of 2704 2548 MSWDM.EXE 31 PID 2548 wrote to memory of 2704 2548 MSWDM.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2272
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev1E98.tmp!C:\Users\Admin\AppData\Local\Temp\f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\F084041A5A6C875E977679E30A1EDCE0_NEIKIANALYTICS.EXE
- Executes dropped EXE
PID:2708
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev1E98.tmp!C:\Users\Admin\AppData\Local\Temp\F084041A5A6C875E977679E30A1EDCE0_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD515f2b1516ea9ad7338e4779ef9d1d55d
SHA1434f6d275eaf1c6a0139a47c72a535eeedaad95a
SHA2566b9377f830e4b8853c5772492789baf5ab1b0c6194b7f00d410570c0cebea4d0
SHA512110dbfe457a76c03e72acfb4334461a63fa4d0f02f955b90cc736e825e0007a26aa5244c599194ff6e05adb3d4476513575fbf88d52ff23b5d7ed4f32ba21767
-
Filesize
47KB
MD52ad0ffa15d43c4e4eed93fed2a0c7cf6
SHA10e133283f17fb450252c8377f88f9e02d765279b
SHA2569323e5bcad6008100e471a8f2ee36aa0ad44d92a4ccb013b99cb2792eed367af
SHA512026d9f83368f2d46b10525941ccbee97916ac0f0fe8c8a277d879c7a77756590ef85781b1763ba810e254283a6d7e6bbd8ce1048b8927c06965f0d60a96727bc
-
Filesize
15KB
MD5f4dfd83153e8c9088ae2db704107060d
SHA1f1aefc68cd03ea536e75047554e59edbb453ecfc
SHA25689aa5d62e788a6cde675d3235af41c5c353052baeba525650874cc1f4dab6d07
SHA5124521655154e890e1b158791537c64b9cb5c1de6469dda047cc543d1562991129e11a3f51050752e1c1dae73798371cbe93318a3f23abd7f99c6398a74f26c28f