Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 21:21
Behavioral task
behavioral1
Sample
085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
-
Size
497KB
-
MD5
085308cca9a84765b02ec5b603f015f0
-
SHA1
d6c7a285898e0127f065cbf23dffefa55d013cb2
-
SHA256
62d660c53b5a1cbcd0f26522a72560b636e72504be70be1807e0f7bf851a5e6a
-
SHA512
c1c820d791e26ba4d331da3d4db392c46b1dff3599d0aedabca91b0205d4257c3e05d98c507b4b502bcf3eec6added48e041dc45af49c390d224003bd4a85967
-
SSDEEP
6144:J89MAfjz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1faym:+D1gL5pRTcAkS/3hzN8qE43fm78Va
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4908 MSWDM.EXE 232 MSWDM.EXE 3452 085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE 696 MSWDM.EXE -
resource yara_rule behavioral2/memory/4976-0-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/files/0x0008000000023286-3.dat upx behavioral2/memory/4976-10-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/232-12-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4908-11-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/696-17-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/files/0x000700000002341e-20.dat upx behavioral2/memory/232-25-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/696-22-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4908-26-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\dev470B.tmp MSWDM.EXE File created C:\WINDOWS\MSWDM.EXE 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe File opened for modification C:\Windows\dev470B.tmp 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 232 MSWDM.EXE 232 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4976 wrote to memory of 4908 4976 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe 82 PID 4976 wrote to memory of 4908 4976 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe 82 PID 4976 wrote to memory of 4908 4976 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe 82 PID 4976 wrote to memory of 232 4976 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe 83 PID 4976 wrote to memory of 232 4976 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe 83 PID 4976 wrote to memory of 232 4976 085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe 83 PID 232 wrote to memory of 3452 232 MSWDM.EXE 84 PID 232 wrote to memory of 3452 232 MSWDM.EXE 84 PID 232 wrote to memory of 696 232 MSWDM.EXE 86 PID 232 wrote to memory of 696 232 MSWDM.EXE 86 PID 232 wrote to memory of 696 232 MSWDM.EXE 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4908
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev470B.tmp!C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE
- Executes dropped EXE
PID:3452
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev470B.tmp!C:\Users\Admin\AppData\Local\Temp\085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
497KB
MD5c43249cad8c5e7fae5604cbbc7778e88
SHA1e3db7416aab7340c3a7f6a10cb0315c5e696b70c
SHA256a0abffe9eb33d6cf51700799cbfb0741947400acb33da5d0221f392b6127f370
SHA51204b2c17d415ae168e1e61546e7e08d79faa1c38df5e6232c33f11710a787d2674150ad6727d20d0288a3c758b2539ea107ea7467c1b43070258442c71d36b599
-
Filesize
39KB
MD566d80d8f33e48c894755326fa6ba21dd
SHA12eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd
SHA25610920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86
SHA51288dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628