Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe
-
Size
107KB
-
MD5
0b3ffacb0ded4504fcbaf41045d5e7d0
-
SHA1
ec4caf055201e5516d6d6734a15e22c589dee263
-
SHA256
8a9eb18dff00bcac97fe8040840fe0f46622426284ba1d977ffb1f4158e495c2
-
SHA512
461f3825ef5ef88d0cb333d15e508eaa6cc5ffe93a1a9aa6272a463940c035f8b51894f3b7dea55ba30426d1b58beed14cf28b5bab55031260facb9dd90d10fb
-
SSDEEP
3072:HQC/yj5JO3MnnG+pLK4ddJMY86ipmns6P:wlj7cMnG+NKCJMYR
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1064 MSWDM.EXE 1500 MSWDM.EXE 2916 0B3FFACB0DED4504FCBAF41045D5E7D0_NEIKIANALYTICS.EXE 2620 MSWDM.EXE -
Loads dropped DLL 1 IoCs
pid Process 1064 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe File opened for modification C:\Windows\dev7D5A.tmp 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe File opened for modification C:\Windows\dev7D5A.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1064 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1500 2240 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1500 2240 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1500 2240 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1500 2240 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1064 2240 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 29 PID 2240 wrote to memory of 1064 2240 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 29 PID 2240 wrote to memory of 1064 2240 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 29 PID 2240 wrote to memory of 1064 2240 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 29 PID 1064 wrote to memory of 2916 1064 MSWDM.EXE 30 PID 1064 wrote to memory of 2916 1064 MSWDM.EXE 30 PID 1064 wrote to memory of 2916 1064 MSWDM.EXE 30 PID 1064 wrote to memory of 2916 1064 MSWDM.EXE 30 PID 1064 wrote to memory of 2620 1064 MSWDM.EXE 31 PID 1064 wrote to memory of 2620 1064 MSWDM.EXE 31 PID 1064 wrote to memory of 2620 1064 MSWDM.EXE 31 PID 1064 wrote to memory of 2620 1064 MSWDM.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1500
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev7D5A.tmp!C:\Users\Admin\AppData\Local\Temp\0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\0B3FFACB0DED4504FCBAF41045D5E7D0_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:2916
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev7D5A.tmp!C:\Users\Admin\AppData\Local\Temp\0B3FFACB0DED4504FCBAF41045D5E7D0_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD576f96dfc964b3714753c177fd5a77e33
SHA188f162986ef0e41a1166a05250659f4870233cba
SHA256426edec6f16821069c2131c1c687c200db4abe1cd626b91eaf234b4c8837b51c
SHA5121b7cc6e231a7fce148a350f349886cc1cc1f2e45979266eb9e4cc47830c06091292d209fd3c7b92826314d71d6cb0a32777ab93cbcac2273df2aa17b652d3b88
-
Filesize
47KB
MD5705344bf490f31433f80acda6837395a
SHA1346129cbbebd2436e618d662676b39a520c9db52
SHA2568c50105f61b4c4e18eac962a85d10a9a8d887620e2a5fdd7e620a123f7cf0486
SHA512db5f9a44c470fc3dbeddba0389f48aca50eb6a07e823647dc42d33b3d6d0383fb4d2382d4a6e802c7a9948c1d8b5428fc345453ba795aa72592be06e45dc860b
-
Filesize
59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945