Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe
-
Size
107KB
-
MD5
0b3ffacb0ded4504fcbaf41045d5e7d0
-
SHA1
ec4caf055201e5516d6d6734a15e22c589dee263
-
SHA256
8a9eb18dff00bcac97fe8040840fe0f46622426284ba1d977ffb1f4158e495c2
-
SHA512
461f3825ef5ef88d0cb333d15e508eaa6cc5ffe93a1a9aa6272a463940c035f8b51894f3b7dea55ba30426d1b58beed14cf28b5bab55031260facb9dd90d10fb
-
SSDEEP
3072:HQC/yj5JO3MnnG+pLK4ddJMY86ipmns6P:wlj7cMnG+NKCJMYR
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4864 MSWDM.EXE 3628 MSWDM.EXE 8 0B3FFACB0DED4504FCBAF41045D5E7D0_NEIKIANALYTICS.EXE 4420 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe File opened for modification C:\Windows\dev41DB.tmp 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe File opened for modification C:\Windows\dev41DB.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3628 MSWDM.EXE 3628 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1988 wrote to memory of 4864 1988 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 83 PID 1988 wrote to memory of 4864 1988 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 83 PID 1988 wrote to memory of 4864 1988 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 83 PID 1988 wrote to memory of 3628 1988 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 84 PID 1988 wrote to memory of 3628 1988 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 84 PID 1988 wrote to memory of 3628 1988 0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe 84 PID 3628 wrote to memory of 8 3628 MSWDM.EXE 85 PID 3628 wrote to memory of 8 3628 MSWDM.EXE 85 PID 3628 wrote to memory of 4420 3628 MSWDM.EXE 86 PID 3628 wrote to memory of 4420 3628 MSWDM.EXE 86 PID 3628 wrote to memory of 4420 3628 MSWDM.EXE 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4864
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev41DB.tmp!C:\Users\Admin\AppData\Local\Temp\0b3ffacb0ded4504fcbaf41045d5e7d0_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\0B3FFACB0DED4504FCBAF41045D5E7D0_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:8
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev41DB.tmp!C:\Users\Admin\AppData\Local\Temp\0B3FFACB0DED4504FCBAF41045D5E7D0_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4420
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD595f21b05453e4c0127a7382d959c2e8b
SHA1ca90a48d8d41c4f44867461ea082ff69bba410a3
SHA256a8378ce4279e17e11f4141b11663b575125e52a45915ee995c03fad8647235a3
SHA51277236c5fcf8b4e597adb4821b0df7bf7174c3fd50ad6d5440cbef8f11bfe40bdc22eb628efe40042dff59b8409a46e2d92ec60073bf8a148ff4ab53fd9acad0f
-
Filesize
47KB
MD5705344bf490f31433f80acda6837395a
SHA1346129cbbebd2436e618d662676b39a520c9db52
SHA2568c50105f61b4c4e18eac962a85d10a9a8d887620e2a5fdd7e620a123f7cf0486
SHA512db5f9a44c470fc3dbeddba0389f48aca50eb6a07e823647dc42d33b3d6d0383fb4d2382d4a6e802c7a9948c1d8b5428fc345453ba795aa72592be06e45dc860b
-
Filesize
59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945