Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
-
Size
89KB
-
MD5
9c9d97287ee25fc3da5623ed1c031320
-
SHA1
e54b5937142f3b1f95579148733d5b4e9d5c0cbe
-
SHA256
70163b0aae029948428e5a76e5aadbfd6a9abea33278ed076c512b79cdebb184
-
SHA512
bcd033b0b88f9d1591aaad832bd340d3e66209bbbffca09d9aeb2a1001d872cef15866155dc86107bcfb42567ede5814e10c40648d71cc0fb7560e54b4672e2d
-
SSDEEP
1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FTgG+stEToa9D4ZQKbgZi1dst7x9Px3:HQC/yj5JO3MnTgG++lZQKbgZi1St7x3
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3008 MSWDM.EXE 2704 MSWDM.EXE 2580 9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE 2760 MSWDM.EXE -
Loads dropped DLL 1 IoCs
pid Process 2704 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\dev21D3.tmp 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe File opened for modification C:\Windows\dev21D3.tmp MSWDM.EXE File created C:\WINDOWS\MSWDM.EXE 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2704 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2924 wrote to memory of 3008 2924 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 3008 2924 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 3008 2924 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 3008 2924 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 2704 2924 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 2704 2924 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 2704 2924 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 2704 2924 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 29 PID 2704 wrote to memory of 2580 2704 MSWDM.EXE 30 PID 2704 wrote to memory of 2580 2704 MSWDM.EXE 30 PID 2704 wrote to memory of 2580 2704 MSWDM.EXE 30 PID 2704 wrote to memory of 2580 2704 MSWDM.EXE 30 PID 2704 wrote to memory of 2760 2704 MSWDM.EXE 31 PID 2704 wrote to memory of 2760 2704 MSWDM.EXE 31 PID 2704 wrote to memory of 2760 2704 MSWDM.EXE 31 PID 2704 wrote to memory of 2760 2704 MSWDM.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3008
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev21D3.tmp!C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:2580
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev21D3.tmp!C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5c3ad8f41711821f463ccac4ac773e23b
SHA1a6b15a9378979a68efb06c46677c2b8e3c8bd9cf
SHA256153fb3735dd4884df55c97b168ad02b61bebc7e7c8b2dfcbbbc6b08ebda1ec76
SHA512f075253f1ed890ba0b8542d147c8395be42b9e10ccc3ff7fddb10abc21158a0e65dffd4fef965c4ce86baeefa49f33b188f5dd22a9589f5bcd2107331c11b056
-
Filesize
47KB
MD51e3f1a37d6507bf20172df8e2b7c1cfa
SHA1dadccd6e193266ef67bdd26755ddf6b4fca5c972
SHA256358b67a4e4e2e85088727bb92e5d60fefba25e66db1e39f563067b1d102d684d
SHA512dab264a506fa195bb5dd91622ba7a79a0f4564e2b34a16a2367ce352d3a4b254934c3c932aea1751ad85ff3618aadd8dc4708d29a058f65764460662befb319f
-
Filesize
41KB
MD5977e405c109268909fd24a94cc23d4f0
SHA1af5d032c2b6caa2164cf298e95b09060665c4188
SHA256cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA51212b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5