Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 19:58
Static task
static1
Behavioral task
behavioral1
Sample
e949a8de8634af1527b3bd5eb113fc20_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e949a8de8634af1527b3bd5eb113fc20_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
e949a8de8634af1527b3bd5eb113fc20_NeikiAnalytics.exe
-
Size
79KB
-
MD5
e949a8de8634af1527b3bd5eb113fc20
-
SHA1
7183b085bde2873d4e0f456ea03d7109f17737d5
-
SHA256
ae3d043eab55f81893e3876658b85bc68906acb59d6794f3a0455346f3215e2d
-
SHA512
5afaa5cb07c20919a28da14ce71d0c23cb4c57a350689b814606be34ba29c1e9eb89e1c9b11207e03f1291e3321f4349a14ed4139f886a36c406554ba452e5c4
-
SSDEEP
1536:zvJRAT+S0kaNVu9TOQA8AkqUhMb2nuy5wgIP0CSJ+5y+AB8GMGlZ5G:zvJR6Z0FNVuUGdqU7uy5w9WMyVN5G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2352 [email protected] -
Loads dropped DLL 2 IoCs
pid Process 2516 cmd.exe 2516 cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1032 wrote to memory of 2516 1032 e949a8de8634af1527b3bd5eb113fc20_NeikiAnalytics.exe 29 PID 1032 wrote to memory of 2516 1032 e949a8de8634af1527b3bd5eb113fc20_NeikiAnalytics.exe 29 PID 1032 wrote to memory of 2516 1032 e949a8de8634af1527b3bd5eb113fc20_NeikiAnalytics.exe 29 PID 1032 wrote to memory of 2516 1032 e949a8de8634af1527b3bd5eb113fc20_NeikiAnalytics.exe 29 PID 2516 wrote to memory of 2352 2516 cmd.exe 30 PID 2516 wrote to memory of 2352 2516 cmd.exe 30 PID 2516 wrote to memory of 2352 2516 cmd.exe 30 PID 2516 wrote to memory of 2352 2516 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e949a8de8634af1527b3bd5eb113fc20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e949a8de8634af1527b3bd5eb113fc20_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c [email protected]2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:2352
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\[email protected]
Filesize79KB
MD52da87b79be36f289386c81c7ccaa757e
SHA11a473dab76d2060ff237079877885665e248077a
SHA2561261254ad3649c7032f7f0fa503d6b68d5977c976e1ff4b3b52632b9ef93ef59
SHA5128dbca2f39a4a6b73647f93e213d1ef7c75a1476d5c6a3953d5a8f0a71ef7faa59b36c42db604911707b3529f12be99859925fca2a6be3ed98bbca40d56f9e99f