Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:09
Static task
static1
Behavioral task
behavioral1
Sample
9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe
-
Size
538KB
-
MD5
9c9be88b4b2ae8ea58001b80b5e24610
-
SHA1
06e993ea271db84a54901ed8c464656def1bc805
-
SHA256
fa8afbb7ed8b62521d89341a6dc3001bad19811297da7f77ca7fc7f0703c2d05
-
SHA512
fbad8807906fb5b7f4bda4344a730c816cb9d92d835df4aeef1402891f30e0912835ef8e038dcfaee1ec7796db0dfc5bfbafb637618327bc95ff452310a473f7
-
SSDEEP
12288:wlbX+h1gL5pRTcAkS/3hzN8qE43fm78Vg:WbX+w5jcAkSYqyEg
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2520 MSWDM.EXE 2192 MSWDM.EXE 3024 9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE 376 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 2520 MSWDM.EXE 3048 Process not Found -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe File opened for modification C:\Windows\dev18DE.tmp 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2520 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2192 2212 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 28 PID 2212 wrote to memory of 2192 2212 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 28 PID 2212 wrote to memory of 2192 2212 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 28 PID 2212 wrote to memory of 2192 2212 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 28 PID 2212 wrote to memory of 2520 2212 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 29 PID 2212 wrote to memory of 2520 2212 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 29 PID 2212 wrote to memory of 2520 2212 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 29 PID 2212 wrote to memory of 2520 2212 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 29 PID 2520 wrote to memory of 3024 2520 MSWDM.EXE 30 PID 2520 wrote to memory of 3024 2520 MSWDM.EXE 30 PID 2520 wrote to memory of 3024 2520 MSWDM.EXE 30 PID 2520 wrote to memory of 3024 2520 MSWDM.EXE 30 PID 2520 wrote to memory of 376 2520 MSWDM.EXE 32 PID 2520 wrote to memory of 376 2520 MSWDM.EXE 32 PID 2520 wrote to memory of 376 2520 MSWDM.EXE 32 PID 2520 wrote to memory of 376 2520 MSWDM.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2192
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev18DE.tmp!C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:3024
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev18DE.tmp!C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
PID:376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
80KB
MD5c06d2bf4e02efc8301ffdee923381cfd
SHA15ceea66714bd6040a2a57baa7e9eccd2b64e994a
SHA2563e7a32d9723e43ce05931b8b79f4fb8ec5eee0eafed7d4d7a635e9d5d4da5e87
SHA5120f1eb53c4bf4246614141adcf351bec9778373e4f6cf9700dc5ad00cd29b767ee1c0eb8d81b174890ddbcea39155895b6cb99681c3d20573faebd315628f3cf6