Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 12:15
Static task
static1
Behavioral task
behavioral1
Sample
5af5c7f4e1f144f692dbb69580e26d10_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
5af5c7f4e1f144f692dbb69580e26d10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5af5c7f4e1f144f692dbb69580e26d10_NeikiAnalytics.exe
-
Size
297KB
-
MD5
5af5c7f4e1f144f692dbb69580e26d10
-
SHA1
ac88c0d9e90f0cdbbd8f40efc02c3c1308678b5f
-
SHA256
31e48e45e25409feea92758892b7d3a331efc71ea98ec2249fb28f76ccebbff3
-
SHA512
32db85c0703e5bb98807a94d985edd1a8c07ee721602a5f71ee967927e92ef56a5589a90d6b1b843a4f4c26406647d56b09984cc9f8d7eeabb5f2358dc7688a7
-
SSDEEP
6144:OsUTxSfmskOe7sCN1iOYhElV4ytBxuAZXa:OsxfnzeIXhElHuAxa
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3040 racmzae.exe -
Loads dropped DLL 3 IoCs
pid Process 3040 racmzae.exe 3040 racmzae.exe 3040 racmzae.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\racmzae.exe 5af5c7f4e1f144f692dbb69580e26d10_NeikiAnalytics.exe File created C:\PROGRA~3\Mozilla\ttbtowf.dll racmzae.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2836 5af5c7f4e1f144f692dbb69580e26d10_NeikiAnalytics.exe 3040 racmzae.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2756 wrote to memory of 3040 2756 taskeng.exe 29 PID 2756 wrote to memory of 3040 2756 taskeng.exe 29 PID 2756 wrote to memory of 3040 2756 taskeng.exe 29 PID 2756 wrote to memory of 3040 2756 taskeng.exe 29 PID 2756 wrote to memory of 3040 2756 taskeng.exe 29 PID 2756 wrote to memory of 3040 2756 taskeng.exe 29 PID 2756 wrote to memory of 3040 2756 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af5c7f4e1f144f692dbb69580e26d10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5af5c7f4e1f144f692dbb69580e26d10_NeikiAnalytics.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2836
-
C:\Windows\system32\taskeng.exetaskeng.exe {5FFCE6DA-5D6D-4F15-9F7A-1D3357363323} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\PROGRA~3\Mozilla\racmzae.exeC:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
297KB
MD5f13de64ab76b15e71257ff15a06c634e
SHA1ac2ca0161b109127d94f1a5255739d5ef8625f5f
SHA25675a0bc4029091cef62be4a4bcb1d3464ff88d64c74cb192e47ba12c15665f48d
SHA512d97ce0f2527ce6141a902f51b906f9936c90aded8fc4cd74ee1e9a03552e440a5b8183fa40856cf5e2df8f99c4da416bf440c4f77274f0f10a554fe5e1921d80