Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2024, 04:14
Static task
static1
Behavioral task
behavioral1
Sample
a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe
-
Size
104KB
-
MD5
a9c1a80cdfd2fbab7964cbcedbd98c20
-
SHA1
0e0f8f4cb32655dcb68f25f920810a664ed3a003
-
SHA256
6a535e8e8745af860eab9901e1aaed16b2962fa408f4e73825f33e9de02c7e5b
-
SHA512
3f243fe70d95872e4c760b560ed761334fd9e820e388c1bac98d5054d5f34e28b5d41ae529c4dc827aa9dbcd4012b3392c4ad87f8e92f82d9fadfeae5e17a3a6
-
SSDEEP
3072:HQC/yj5JO3MntgG+TfH5TZsYnjIdbCNNoV/Xi:wlj7cMnv+TRT9n0duP
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4988 MSWDM.EXE 4644 MSWDM.EXE 3340 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe File opened for modification C:\Windows\dev4DB2.tmp a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe File opened for modification C:\Windows\dev4DB2.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4644 MSWDM.EXE 4644 MSWDM.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 212 wrote to memory of 4988 212 a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe 83 PID 212 wrote to memory of 4988 212 a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe 83 PID 212 wrote to memory of 4988 212 a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe 83 PID 212 wrote to memory of 4644 212 a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe 84 PID 212 wrote to memory of 4644 212 a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe 84 PID 212 wrote to memory of 4644 212 a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe 84 PID 4644 wrote to memory of 3340 4644 MSWDM.EXE 85 PID 4644 wrote to memory of 3340 4644 MSWDM.EXE 85 PID 4644 wrote to memory of 3340 4644 MSWDM.EXE 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:212 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4988
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev4DB2.tmp!C:\Users\Admin\AppData\Local\Temp\a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev4DB2.tmp!C:\Users\Admin\AppData\Local\Temp\A9C1A80CDFD2FBAB7964CBCEDBD98C20_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3340
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5555e60ae3561ddf7b334fc52971bc13e
SHA1dd569f42c1b7002717508e4f3726ad6e13943575
SHA256eebbdc0d5f35ef91afe6c2c7aff5a2f69014fe7f3e1bc1870c894f99c7ac8a24
SHA5120fb09dafbc13d0a856cde5d8a494f8fbdade5538640579458f00aec50a0952ee637b46c7a128cc828f50524809192a3a8128e499fd3884535a211f190765b620
-
Filesize
47KB
MD5b319afee8424fd20d10b6da7a12c7dde
SHA168a6d36f09571772ed6a37fcefe74ddf2b2982ce
SHA256ff1499f5fc1ff13b65427b7d971c27bc153f3311b3e26232ef8cd57c9faf0e0e
SHA512cd79380bb5d4a0921ee1d9bfad49bdebed82daca5a219cc3e2a06aae92e0a9b2bccc33cce595d75157f1738b25b04bd3fefcdff505867738caa0759a02c8fafd
-
Filesize
56KB
MD518fe30f810364bd33c396c9ee428f4b4
SHA1362433117f9e00a8da6cb54fcd81365fe0168566
SHA2567f13eeb5dca39d05e24b9eb069c6dcb2748633822d67288a8bf8b7e21cdddf55
SHA512160147777466016b908a1a663e3457ed8dc6d0d4c3bb6e75b54206a3e84e8462f1cddf3f23a248d8cbea079615f5f58c4488e016dbdde04b9a0a03db9ce70660