Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe
-
Size
184KB
-
MD5
12226b157da60b9a14d1ff309d6a81d0
-
SHA1
4dec7c6c86fe1f65949101e758656c34e5468eb9
-
SHA256
0ef935d389d038b72112948b9cf06990579e5b894275451d2a65b9d4e2325140
-
SHA512
212775d896b44f26fcc66690fac77cbc807a835f151419f596f33abb59741f0646e06bfbfce9ea121bf50877732052e67884741d85de99cd63b07121fea3f76c
-
SSDEEP
3072:Z+RgXmochP1td7wtWhS8ZAbUcvnqnmiFO:Z+PoO77w78ObUcPqnmiF
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 1556 Unicorn-4957.exe 432 Unicorn-49244.exe 1652 Unicorn-36006.exe 4432 Unicorn-62238.exe 1920 Unicorn-14189.exe 4532 Unicorn-1143.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 2716 4864 WerFault.exe 82 4600 1556 WerFault.exe 91 3516 432 WerFault.exe 97 4492 1652 WerFault.exe 101 2288 4432 WerFault.exe 106 4424 1920 WerFault.exe 109 -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4864 12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe 1556 Unicorn-4957.exe 432 Unicorn-49244.exe 1652 Unicorn-36006.exe 4432 Unicorn-62238.exe 1920 Unicorn-14189.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4864 wrote to memory of 1556 4864 12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe 91 PID 4864 wrote to memory of 1556 4864 12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe 91 PID 4864 wrote to memory of 1556 4864 12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe 91 PID 1556 wrote to memory of 432 1556 Unicorn-4957.exe 97 PID 1556 wrote to memory of 432 1556 Unicorn-4957.exe 97 PID 1556 wrote to memory of 432 1556 Unicorn-4957.exe 97 PID 432 wrote to memory of 1652 432 Unicorn-49244.exe 101 PID 432 wrote to memory of 1652 432 Unicorn-49244.exe 101 PID 432 wrote to memory of 1652 432 Unicorn-49244.exe 101 PID 1652 wrote to memory of 4432 1652 Unicorn-36006.exe 106 PID 1652 wrote to memory of 4432 1652 Unicorn-36006.exe 106 PID 1652 wrote to memory of 4432 1652 Unicorn-36006.exe 106 PID 4432 wrote to memory of 1920 4432 Unicorn-62238.exe 109 PID 4432 wrote to memory of 1920 4432 Unicorn-62238.exe 109 PID 4432 wrote to memory of 1920 4432 Unicorn-62238.exe 109 PID 1920 wrote to memory of 4532 1920 Unicorn-14189.exe 112 PID 1920 wrote to memory of 4532 1920 Unicorn-14189.exe 112 PID 1920 wrote to memory of 4532 1920 Unicorn-14189.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\Unicorn-4957.exeC:\Users\Admin\AppData\Local\Temp\Unicorn-4957.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\Unicorn-49244.exeC:\Users\Admin\AppData\Local\Temp\Unicorn-49244.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\Unicorn-36006.exeC:\Users\Admin\AppData\Local\Temp\Unicorn-36006.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\Unicorn-62238.exeC:\Users\Admin\AppData\Local\Temp\Unicorn-62238.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\Unicorn-14189.exeC:\Users\Admin\AppData\Local\Temp\Unicorn-14189.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\Unicorn-1143.exeC:\Users\Admin\AppData\Local\Temp\Unicorn-1143.exe7⤵
- Executes dropped EXE
PID:4532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 7247⤵
- Program crash
PID:4424
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 7526⤵
- Program crash
PID:2288
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 7445⤵
- Program crash
PID:4492
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 7444⤵
- Program crash
PID:3516
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 7243⤵
- Program crash
PID:4600
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 7442⤵
- Program crash
PID:2716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 48641⤵PID:3768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1556 -ip 15561⤵PID:4260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 432 -ip 4321⤵PID:428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1652 -ip 16521⤵PID:4656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4432 -ip 44321⤵PID:2276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1920 -ip 19201⤵PID:680
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD5edf55bd171bda1b9adda5e1d0b427ac3
SHA136deb68d036087f47cbc75fb128a2aa7f420ab4f
SHA25634ac813dbb56444eabffb8ba2c36ac3481da523ba5f473acad9d237b8bfde03c
SHA512c894d6689dd600d9b2279d90435d77ccdb86ebea63bc176683be25e1af5b15ed9f165e55970b4809a2945724852ba5135720480f5650af69f54cdfbecb703eff
-
Filesize
184KB
MD5f42bab33a5ee20e1bdf1d05246d531bf
SHA1abd7e1fa0f3b4adde9fa0a59dd9a9fe631144c53
SHA256e613f182ca5d3f5ce05f4b01331fea2feac61c9847b37e6bf6c5d09f9051e6f2
SHA512e1aae13453c8b17bbb816963e25953de97c1d1d6d314c6526241649f4f613218d4d0ec452cc21b9f5c5dfef26fd18f15144e936580902f413b87f57dc87d7b7c
-
Filesize
184KB
MD54f75ead5d9c5bb9c887b2e57dbbb368f
SHA1b3806868adc0e67f8025af4c44852fd02c8c0299
SHA2563c430ae4adf91ac1cef903145679bfedb45ca153bb7a500ad86ff92d210dcb7e
SHA512d1acd289ea3c952e991cbcf65ec245854037a931a836cd7d85dc27fe5811ba2c5d7715099dd0d6070fb87fd7d5f0ad64ae804e3e84920ffe79f6597a0d2e19d6
-
Filesize
184KB
MD5653fbd6121e0e3d8986fe4fb05d87c23
SHA1aae9feb540d101a893621e470de6316263f979b0
SHA256633c40c7ed3b2e4530b02d145d907d8e7244c0d2a782e95e75638fa1addf17c7
SHA512724a1a82511bf29725ef1795c77a400cbb9c9b2b60719b8b2b1f69418d218ec4e2c43e9e27905326a3ecc4a92b1e7a835031617ed21a48f1f00e2cb038bd930a
-
Filesize
184KB
MD5ba82dfaccaad56978a5ad8348492e95c
SHA1ea6e04a884b294d430fb4c11445f93eb4d2c7506
SHA2569a69b64edddfa67968192eea71a02cdad3566626adaabeddfd54e17c10a8723a
SHA512ecd5793fe07535fbfcb8dee0cb5a0d1ad01d1b2e4a1815a4e0a6f5212b7296db9e5f4e69eca56148b5b5d477afad7c541af36d986074c9b1a42dcd6b45f5083e
-
Filesize
184KB
MD5ebec8be1c41cc330e68799b41034fb6b
SHA1faeff1aeceb7ba31768f91561f1ea25e2f25158f
SHA2566bcf8395d5c5486f94953aa0e302491b766e2d7387203d10b79785829770ea9d
SHA512ce39b4c8d713401dde19d09655458119be50321d42d8bf5a3b31a75d9b2566c2e2528b942ada2e0a158a2b859c3329fccd730be72895829c9228124870a57d38