Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:06
Behavioral task
behavioral1
Sample
9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe
-
Size
383KB
-
MD5
9c805fc3829e484ede63b33a40b13b10
-
SHA1
ec0b1354b3c5f05ab1d17968501fffa833b74466
-
SHA256
bf5e5101a0e8da1521a958ecb965bbf16142b808fa7db91318c8a39e905b6c68
-
SHA512
e1f66e3f3f0f7a390eb8df47064344a692ad5d1b45aa93eff0027a1d1e3ac2c67bfae1ff9b4d036a8c54407e4413a0dedcc51d199bdb33910d78f9a3b9f709fd
-
SSDEEP
6144:td5afqlpDHA9NtTV3okaEXnMhr1gg5YdEV1l6RXMAcfBOWq3oXY/LBFV7UMXKb3w:td5acTP+n25J1sJWWLBF2MXKb5Ol7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2348 svchost.exe -
Loads dropped DLL 7 IoCs
pid Process 2944 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe 2944 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe 1160 WerFault.exe 1160 WerFault.exe 1160 WerFault.exe 1160 WerFault.exe 1160 WerFault.exe -
resource yara_rule behavioral1/memory/2944-0-0x0000000000400000-0x000000000049D000-memory.dmp upx behavioral1/files/0x000c00000001227b-9.dat upx behavioral1/memory/2944-11-0x0000000000330000-0x00000000003CD000-memory.dmp upx behavioral1/memory/2348-19-0x0000000000400000-0x000000000049D000-memory.dmp upx behavioral1/memory/2944-18-0x0000000000400000-0x000000000049D000-memory.dmp upx behavioral1/memory/2348-42-0x0000000000400000-0x000000000049D000-memory.dmp upx -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d27658f7 = "C:\\Windows\\apppatch\\svchost.exe" 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe File opened for modification C:\Windows\apppatch\svchost.exe 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1160 2348 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2348 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2944 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2944 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe Token: SeSecurityPrivilege 2944 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe Token: SeSecurityPrivilege 2348 svchost.exe Token: SeSecurityPrivilege 2348 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2348 2944 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 2348 2944 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 2348 2944 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 2348 2944 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe 28 PID 2348 wrote to memory of 1160 2348 svchost.exe 29 PID 2348 wrote to memory of 1160 2348 svchost.exe 29 PID 2348 wrote to memory of 1160 2348 svchost.exe 29 PID 2348 wrote to memory of 1160 2348 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 4203⤵
- Loads dropped DLL
- Program crash
PID:1160
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
383KB
MD51840c7e5710f0a21cb4d7da5fd0c0834
SHA12ed318933069fb6501438644a9d168c4d7f1e12c
SHA256e1c7504a23777145d8211b093376d53b5316c1ea65b990d30ca828468183b830
SHA512dd776c9b2a19d6ce732546ff47e068f6d73db476e302a4b03b8c586c36a2f5aace45c1ac3de404dfc3507c83ca79a88b763ecc4eb99100a734948ece3cbb5573