Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
22s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
-
Size
89KB
-
MD5
9c9d97287ee25fc3da5623ed1c031320
-
SHA1
e54b5937142f3b1f95579148733d5b4e9d5c0cbe
-
SHA256
70163b0aae029948428e5a76e5aadbfd6a9abea33278ed076c512b79cdebb184
-
SHA512
bcd033b0b88f9d1591aaad832bd340d3e66209bbbffca09d9aeb2a1001d872cef15866155dc86107bcfb42567ede5814e10c40648d71cc0fb7560e54b4672e2d
-
SSDEEP
1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FTgG+stEToa9D4ZQKbgZi1dst7x9Px3:HQC/yj5JO3MnTgG++lZQKbgZi1St7x3
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4220 MSWDM.EXE 2024 MSWDM.EXE 4256 9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE 3508 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe File opened for modification C:\Windows\dev5052.tmp 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe File opened for modification C:\Windows\dev5052.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2024 MSWDM.EXE 2024 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3960 wrote to memory of 4220 3960 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 82 PID 3960 wrote to memory of 4220 3960 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 82 PID 3960 wrote to memory of 4220 3960 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 82 PID 3960 wrote to memory of 2024 3960 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 83 PID 3960 wrote to memory of 2024 3960 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 83 PID 3960 wrote to memory of 2024 3960 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe 83 PID 2024 wrote to memory of 4256 2024 MSWDM.EXE 84 PID 2024 wrote to memory of 4256 2024 MSWDM.EXE 84 PID 2024 wrote to memory of 3508 2024 MSWDM.EXE 85 PID 2024 wrote to memory of 3508 2024 MSWDM.EXE 85 PID 2024 wrote to memory of 3508 2024 MSWDM.EXE 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4220
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev5052.tmp!C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:4256
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev5052.tmp!C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5977e405c109268909fd24a94cc23d4f0
SHA1af5d032c2b6caa2164cf298e95b09060665c4188
SHA256cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA51212b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5
-
Filesize
89KB
MD5c3ad8f41711821f463ccac4ac773e23b
SHA1a6b15a9378979a68efb06c46677c2b8e3c8bd9cf
SHA256153fb3735dd4884df55c97b168ad02b61bebc7e7c8b2dfcbbbc6b08ebda1ec76
SHA512f075253f1ed890ba0b8542d147c8395be42b9e10ccc3ff7fddb10abc21158a0e65dffd4fef965c4ce86baeefa49f33b188f5dd22a9589f5bcd2107331c11b056
-
Filesize
47KB
MD51e3f1a37d6507bf20172df8e2b7c1cfa
SHA1dadccd6e193266ef67bdd26755ddf6b4fca5c972
SHA256358b67a4e4e2e85088727bb92e5d60fefba25e66db1e39f563067b1d102d684d
SHA512dab264a506fa195bb5dd91622ba7a79a0f4564e2b34a16a2367ce352d3a4b254934c3c932aea1751ad85ff3618aadd8dc4708d29a058f65764460662befb319f