Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 11:16
Static task
static1
Behavioral task
behavioral1
Sample
3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe
-
Size
76KB
-
MD5
2ab58296b3710a838e7efe71fc1eb720
-
SHA1
073e29a2b66435357650ca1d76ae3065f5358575
-
SHA256
3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796
-
SHA512
9b2d2716033a77c4a2c9f5f91d5db76182fc4282744610ee3751307fe057c83d863209b9ad7ba9052a756582397208ca4227d9ec87166f281f6a41cdb08be281
-
SSDEEP
1536:abSshapMJgKJUuxGmfJPtOgqm1s/XZSWcHW:K25KJFjfJPtOgqm2/XZXP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2700 winlgon.exe -
Loads dropped DLL 9 IoCs
pid Process 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe" 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe" 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2556 2700 WerFault.exe 28 2848 2856 WerFault.exe 27 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 2700 winlgon.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2700 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 28 PID 2856 wrote to memory of 2700 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 28 PID 2856 wrote to memory of 2700 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 28 PID 2856 wrote to memory of 2700 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 28 PID 2700 wrote to memory of 2556 2700 winlgon.exe 29 PID 2700 wrote to memory of 2556 2700 winlgon.exe 29 PID 2700 wrote to memory of 2556 2700 winlgon.exe 29 PID 2700 wrote to memory of 2556 2700 winlgon.exe 29 PID 2856 wrote to memory of 2848 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 30 PID 2856 wrote to memory of 2848 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 30 PID 2856 wrote to memory of 2848 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 30 PID 2856 wrote to memory of 2848 2856 3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e170e6428b7a264d5a37830ec4697e6f4c52a5f8a05965a0f5ad31de4b51796_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\users\admin\appdata\local\temp\winlgon.exec:\users\admin\appdata\local\temp\winlgon.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 2563⤵
- Loads dropped DLL
- Program crash
PID:2556
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 2042⤵
- Program crash
PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5e36a76f14b3c44d965e095995259a541
SHA100d4e5b468dd774875d79e1c3e9efaf449e90935
SHA25651a52dc27faf46632935db9de572878409a2a3306ad820e371e21b2c055bdc2c
SHA5127036e689c2097544d01d10d45191a986ccb98cef204760f02369ef573c7b951d9553a7478a7c61032ddaee0eeabdee8355e6a23c68626f2eed00f42e5e480394