Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
20s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe
-
Size
648KB
-
MD5
9c909de601e74f0aad3eab3b07a41e00
-
SHA1
7c8b0b3244a760f9d1e9c6fcc911ff7039ec71a9
-
SHA256
b37dfbc6227eb93f3d46946b0c1c2db0730a2a123a0e4692a88f92b8e84ca898
-
SHA512
9f4a7107be863cf8780f857fa325dc268713b45a4b766f66bddc407ebafa860bf92714f6e810cfaa5050f7c34ebb093e601a12dc59c5c9a11aa68f049ef24e4d
-
SSDEEP
12288:wlbd+Yaplw9U+qMi8CtdVldusIh6BBHCHrKZXCktSzIzWpX5/:Wbd+bYTqMi8CtBd2QHCHmTBW5/
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 2804 MSWDM.EXE 2076 MSWDM.EXE 2708 9C909DE601E74F0AAD3EAB3B07A41E00_NEIKIANALYTICS.EXE 1144 Process not Found 2736 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 2076 MSWDM.EXE 2076 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe File opened for modification C:\Windows\dev191C.tmp 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe File opened for modification C:\Windows\dev191C.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2076 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2804 2932 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe 28 PID 2932 wrote to memory of 2804 2932 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe 28 PID 2932 wrote to memory of 2804 2932 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe 28 PID 2932 wrote to memory of 2804 2932 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe 28 PID 2932 wrote to memory of 2076 2932 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe 29 PID 2932 wrote to memory of 2076 2932 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe 29 PID 2932 wrote to memory of 2076 2932 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe 29 PID 2932 wrote to memory of 2076 2932 9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe 29 PID 2076 wrote to memory of 2708 2076 MSWDM.EXE 30 PID 2076 wrote to memory of 2708 2076 MSWDM.EXE 30 PID 2076 wrote to memory of 2708 2076 MSWDM.EXE 30 PID 2076 wrote to memory of 2708 2076 MSWDM.EXE 30 PID 2076 wrote to memory of 2736 2076 MSWDM.EXE 31 PID 2076 wrote to memory of 2736 2076 MSWDM.EXE 31 PID 2076 wrote to memory of 2736 2076 MSWDM.EXE 31 PID 2076 wrote to memory of 2736 2076 MSWDM.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2804
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev191C.tmp!C:\Users\Admin\AppData\Local\Temp\9c909de601e74f0aad3eab3b07a41e00_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\9C909DE601E74F0AAD3EAB3B07A41E00_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:2708
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev191C.tmp!C:\Users\Admin\AppData\Local\Temp\9C909DE601E74F0AAD3EAB3B07A41E00_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD5c6f5946ef2d520c0f40d3650d24f8173
SHA1c46ad0c66e0e46a828b083b473acb1a89b455c41
SHA2565d8f209d62a3cd2952c05a97d46ffea239b0335cfda7ef518db62e63fa609e02
SHA512e00234cdaeb1726fb1d1316322034b2c4b17f9c496abe9a114a80e8964b7dbf9020a9350c225b784e86e33321bc929181b44cd6091cd6e59b48b68483e0b62f6
-
Filesize
80KB
MD5ca1665aebc386a9e1e00e62a6f24bccd
SHA1ace8a60b685b6e870d0952fd7de8b1157112db6a
SHA2569a7574d09ccc52c090ac586db59b15f7295fb15f6c2a1492558cb6d4cfdd5d3d
SHA512bd227870c2e6b67e11e532e43aecdd0af65745a31cc0beed86032bb00879a3eddeb9ddeae7bcc7089fee758179e2b7b9f567957f7f2fcfc69ed766d5feaa6d17
-
Filesize
568KB
MD504fb3ae7f05c8bc333125972ba907398
SHA1df22612647e9404a515d48ebad490349685250de
SHA2562fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef
SHA51294c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2