Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 10:45
Static task
static1
Behavioral task
behavioral1
Sample
4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
-
Size
107KB
-
MD5
4001d60beeb865ab828fc65fd7ca9000
-
SHA1
91e4543d9ecda45883766283308efb6d7247fa5a
-
SHA256
6d8ca89c4aba982f2cfe02216a11697446eeaad5e5a6fabe10648f73b16b8ce2
-
SHA512
54575d192ca10bce1e53e7e46e923a93702e3e4ccf8072bd182809f681efd7ba5d68e192dd3a865d8f3f9f47acf054aa4ad0187cc6fcd457334c40e54a69ae9a
-
SSDEEP
3072:HQC/yj5JO3MnBG+pLK4ddJMY86ipmns6W:wlj7cMnw+NKCJMYE
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4292 MSWDM.EXE 772 MSWDM.EXE 2952 4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE 4500 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe File opened for modification C:\Windows\dev348D.tmp 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe File opened for modification C:\Windows\dev348D.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 772 MSWDM.EXE 772 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4624 wrote to memory of 4292 4624 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 81 PID 4624 wrote to memory of 4292 4624 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 81 PID 4624 wrote to memory of 4292 4624 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 81 PID 4624 wrote to memory of 772 4624 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 82 PID 4624 wrote to memory of 772 4624 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 82 PID 4624 wrote to memory of 772 4624 4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe 82 PID 772 wrote to memory of 2952 772 MSWDM.EXE 83 PID 772 wrote to memory of 2952 772 MSWDM.EXE 83 PID 772 wrote to memory of 4500 772 MSWDM.EXE 84 PID 772 wrote to memory of 4500 772 MSWDM.EXE 84 PID 772 wrote to memory of 4500 772 MSWDM.EXE 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4292
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev348D.tmp!C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE
- Executes dropped EXE
PID:2952
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev348D.tmp!C:\Users\Admin\AppData\Local\Temp\4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5b4efe40b13cebdc31dc204f3b90ffbb3
SHA1a2c5359df7390891061592e3a92f91a1c8101aad
SHA256e98db6c2e1564227e5f6622aa9313c155d35bca8f95d80adeb6c68e0f53b01e0
SHA512b924625935e47f902ce079c70418f09e6f4e89dd34ad79d70fab14dbe5686e4d58ebc8f002d47c932dbee82058b88b547513f9283c6039cf46472b71c408c7b2
-
Filesize
47KB
MD52ad0ffa15d43c4e4eed93fed2a0c7cf6
SHA10e133283f17fb450252c8377f88f9e02d765279b
SHA2569323e5bcad6008100e471a8f2ee36aa0ad44d92a4ccb013b99cb2792eed367af
SHA512026d9f83368f2d46b10525941ccbee97916ac0f0fe8c8a277d879c7a77756590ef85781b1763ba810e254283a6d7e6bbd8ce1048b8927c06965f0d60a96727bc
-
Filesize
59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945