Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 16:10
Static task
static1
Behavioral task
behavioral1
Sample
11d27ca055eece72f4c961c0fdcd2310_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
11d27ca055eece72f4c961c0fdcd2310_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
11d27ca055eece72f4c961c0fdcd2310_NeikiAnalytics.exe
-
Size
79KB
-
MD5
11d27ca055eece72f4c961c0fdcd2310
-
SHA1
adf86dd5cdbce5eb948bd41754361fb7ebc18229
-
SHA256
9becae9f534f63ec9bdeb33a81f33fa484a008bc62145a1f4b51c210257f816d
-
SHA512
465e9c7f43e49b55fcfc941f9df8e8c7d4b49f34b6ed55148be33d909b8c7fecaccdd604781a062d85805c1a33140943dcfb1836547f2135f89a8f5ee08dd465
-
SSDEEP
1536:zvSKKHfuaJOwqOQA8AkqUhMb2nuy5wgIP0CSJ+5ylB8GMGlZ5G:zviHfuXwfGdqU7uy5w9WMylN5G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2452 [email protected] -
Loads dropped DLL 2 IoCs
pid Process 1952 cmd.exe 1952 cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3068 wrote to memory of 1952 3068 11d27ca055eece72f4c961c0fdcd2310_NeikiAnalytics.exe 29 PID 3068 wrote to memory of 1952 3068 11d27ca055eece72f4c961c0fdcd2310_NeikiAnalytics.exe 29 PID 3068 wrote to memory of 1952 3068 11d27ca055eece72f4c961c0fdcd2310_NeikiAnalytics.exe 29 PID 3068 wrote to memory of 1952 3068 11d27ca055eece72f4c961c0fdcd2310_NeikiAnalytics.exe 29 PID 1952 wrote to memory of 2452 1952 cmd.exe 30 PID 1952 wrote to memory of 2452 1952 cmd.exe 30 PID 1952 wrote to memory of 2452 1952 cmd.exe 30 PID 1952 wrote to memory of 2452 1952 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d27ca055eece72f4c961c0fdcd2310_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\11d27ca055eece72f4c961c0fdcd2310_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c [email protected]2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:2452
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize79KB
MD57e6f868096197a58db38470e1c68a76b
SHA1db8c072ea5c445b16732d4d3ca5bf5154256be7e
SHA256cf073820e193f1ae84975454fee02a9db3382c3129f45a3b826ef26852e2b0d1
SHA5128179d822955685f0b3a834b4902ecde81d81e6bb1d9af12ae6e550ba89784109ceeb9be3e4880adc44316af498f071c0308d70b6d6f11cf2c3d2d27b3387d028