Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
23s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 05:09
Static task
static1
Behavioral task
behavioral1
Sample
9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe
-
Size
538KB
-
MD5
9c9be88b4b2ae8ea58001b80b5e24610
-
SHA1
06e993ea271db84a54901ed8c464656def1bc805
-
SHA256
fa8afbb7ed8b62521d89341a6dc3001bad19811297da7f77ca7fc7f0703c2d05
-
SHA512
fbad8807906fb5b7f4bda4344a730c816cb9d92d835df4aeef1402891f30e0912835ef8e038dcfaee1ec7796db0dfc5bfbafb637618327bc95ff452310a473f7
-
SSDEEP
12288:wlbX+h1gL5pRTcAkS/3hzN8qE43fm78Vg:WbX+w5jcAkSYqyEg
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2468 MSWDM.EXE 4304 MSWDM.EXE 5008 9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE 1108 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\devECA2.tmp 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe File opened for modification C:\Windows\devECA2.tmp MSWDM.EXE File created C:\WINDOWS\MSWDM.EXE 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4304 MSWDM.EXE 4304 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3284 wrote to memory of 2468 3284 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 90 PID 3284 wrote to memory of 2468 3284 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 90 PID 3284 wrote to memory of 2468 3284 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 90 PID 3284 wrote to memory of 4304 3284 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 91 PID 3284 wrote to memory of 4304 3284 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 91 PID 3284 wrote to memory of 4304 3284 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe 91 PID 4304 wrote to memory of 5008 4304 MSWDM.EXE 92 PID 4304 wrote to memory of 5008 4304 MSWDM.EXE 92 PID 4304 wrote to memory of 1108 4304 MSWDM.EXE 94 PID 4304 wrote to memory of 1108 4304 MSWDM.EXE 94 PID 4304 wrote to memory of 1108 4304 MSWDM.EXE 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2468
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\devECA2.tmp!C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:5008
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\devECA2.tmp!C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1108
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:81⤵PID:4308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
538KB
MD5bbc3dacb3230d9571334ee50f695ed7c
SHA1178ff54e399ee53f7281227dc3bc11a9a843b502
SHA2568f5a9be3e51f165a5f1ac6413d58703e06997eb46e9560754f890eb96844ecd3
SHA512e4e522c813c7aee70bcfa6c745b33149772a9e410ef96f811002dfb72d9979391c495788530f1302c418893d5b80291761673eed48670369a170c7b9b8a67483
-
Filesize
80KB
MD5c06d2bf4e02efc8301ffdee923381cfd
SHA15ceea66714bd6040a2a57baa7e9eccd2b64e994a
SHA2563e7a32d9723e43ce05931b8b79f4fb8ec5eee0eafed7d4d7a635e9d5d4da5e87
SHA5120f1eb53c4bf4246614141adcf351bec9778373e4f6cf9700dc5ad00cd29b767ee1c0eb8d81b174890ddbcea39155895b6cb99681c3d20573faebd315628f3cf6
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628