Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 11:50
Static task
static1
Behavioral task
behavioral1
Sample
410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
-
Size
538KB
-
MD5
410c78fc99472f90cfc29bcc59523410
-
SHA1
e77ef297adc80c66fb22e81aa07efb2e3800fd4f
-
SHA256
9e105f3ee01edcfd5c174761879f2ddc5fc5430a8fcedc65123b1a30cbe5438f
-
SHA512
9ed3668ea47dd8b4b09711726fa15f503883e9aa81efec21f83048129bee725010668188d7c508dc6b04eb139cf71976930bd6370d00aae216f754182b26014a
-
SSDEEP
12288:wlbk+h1gL5pRTcAkS/3hzN8qE43fm78VF:Wbk+w5jcAkSYqyEF
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3560 MSWDM.EXE 2124 MSWDM.EXE 1404 410C78FC99472F90CFC29BCC59523410_NEIKIANALYTICS.EXE 4500 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe File opened for modification C:\Windows\dev4A38.tmp 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe File opened for modification C:\Windows\dev4A38.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2124 MSWDM.EXE 2124 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3268 wrote to memory of 3560 3268 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe 85 PID 3268 wrote to memory of 3560 3268 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe 85 PID 3268 wrote to memory of 3560 3268 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe 85 PID 3268 wrote to memory of 2124 3268 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe 86 PID 3268 wrote to memory of 2124 3268 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe 86 PID 3268 wrote to memory of 2124 3268 410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe 86 PID 2124 wrote to memory of 1404 2124 MSWDM.EXE 87 PID 2124 wrote to memory of 1404 2124 MSWDM.EXE 87 PID 2124 wrote to memory of 4500 2124 MSWDM.EXE 89 PID 2124 wrote to memory of 4500 2124 MSWDM.EXE 89 PID 2124 wrote to memory of 4500 2124 MSWDM.EXE 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3560
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev4A38.tmp!C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\410C78FC99472F90CFC29BCC59523410_NEIKIANALYTICS.EXE
- Executes dropped EXE
PID:1404
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev4A38.tmp!C:\Users\Admin\AppData\Local\Temp\410C78FC99472F90CFC29BCC59523410_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
538KB
MD582593f9fda2222fd516cbc59a2ed54f3
SHA1b4d4d7f537b4d1e4b37c641701dec1fa6933406a
SHA256eb74492891a203354838c3ae0440687d488e86d8a6e270c77160b9142735e4ac
SHA5124a01ca5feca4ddebc73cdac2a448b8655d0a22e650b6c00a7e31dfcd6451b53e1f6ea8842f4916d546ed13391aed17efeb315bca2222b3c9ca975cd417e42e49
-
Filesize
80KB
MD5dfebdec58d9656407cf2802dc1090113
SHA1002a06590638c2be096e62a638b6747deecc55fe
SHA256e311929da12614a80576548e58a25156d4064c815cde5dab5be1d0cd8b74e5f0
SHA512069e725ed9fa3a2a918dd440fa84ced1c96859e3afba12684c2c35fc517cfb95ea5a075328a0f1e9b08f77deedf7217007ac4760a8d492c0c5194a70013ddc1c
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628