Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 10:45
Static task
static1
Behavioral task
behavioral1
Sample
4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
-
Size
107KB
-
MD5
4001d60beeb865ab828fc65fd7ca9000
-
SHA1
91e4543d9ecda45883766283308efb6d7247fa5a
-
SHA256
6d8ca89c4aba982f2cfe02216a11697446eeaad5e5a6fabe10648f73b16b8ce2
-
SHA512
54575d192ca10bce1e53e7e46e923a93702e3e4ccf8072bd182809f681efd7ba5d68e192dd3a865d8f3f9f47acf054aa4ad0187cc6fcd457334c40e54a69ae9a
-
SSDEEP
3072:HQC/yj5JO3MnBG+pLK4ddJMY86ipmns6W:wlj7cMnw+NKCJMYE
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2980 MSWDM.EXE 2668 MSWDM.EXE 2648 4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE 2528 MSWDM.EXE -
Loads dropped DLL 1 IoCs
pid Process 2980 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\dev8D51.tmp 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe File opened for modification C:\Windows\dev8D51.tmp MSWDM.EXE File created C:\WINDOWS\MSWDM.EXE 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2980 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1284 wrote to memory of 2668 1284 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2668 1284 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2668 1284 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2668 1284 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2980 1284 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 29 PID 1284 wrote to memory of 2980 1284 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 29 PID 1284 wrote to memory of 2980 1284 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 29 PID 1284 wrote to memory of 2980 1284 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 29 PID 2980 wrote to memory of 2648 2980 MSWDM.EXE 30 PID 2980 wrote to memory of 2648 2980 MSWDM.EXE 30 PID 2980 wrote to memory of 2648 2980 MSWDM.EXE 30 PID 2980 wrote to memory of 2648 2980 MSWDM.EXE 30 PID 2980 wrote to memory of 2528 2980 MSWDM.EXE 31 PID 2980 wrote to memory of 2528 2980 MSWDM.EXE 31 PID 2980 wrote to memory of 2528 2980 MSWDM.EXE 31 PID 2980 wrote to memory of 2528 2980 MSWDM.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2668
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev8D51.tmp!C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE
- Executes dropped EXE
PID:2648
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev8D51.tmp!C:\Users\Admin\AppData\Local\Temp\4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2528
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD569b58884d5d412c305cd24e22b7c7c18
SHA131731887f2b8c64ca2bd06194cf65429697ad1ae
SHA256ae68678de3738d0c1380c03270f66acdd24f2b7a410a3dfddb9c1d38d13012ea
SHA512c5f3cf9763f538166ccbd72320aecc2f3226c4dc7d446c44d1e48612dfbc177eaa4ff96cbd09866673cbbab78adc9cebccbfa24adbe519b0e3fc33427f0149eb
-
Filesize
59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945
-
Filesize
47KB
MD52ad0ffa15d43c4e4eed93fed2a0c7cf6
SHA10e133283f17fb450252c8377f88f9e02d765279b
SHA2569323e5bcad6008100e471a8f2ee36aa0ad44d92a4ccb013b99cb2792eed367af
SHA512026d9f83368f2d46b10525941ccbee97916ac0f0fe8c8a277d879c7a77756590ef85781b1763ba810e254283a6d7e6bbd8ce1048b8927c06965f0d60a96727bc