Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 13:40
Static task
static1
Behavioral task
behavioral1
Sample
a540dfc809b23b92876f6353a6e76ed0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a540dfc809b23b92876f6353a6e76ed0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a540dfc809b23b92876f6353a6e76ed0_NeikiAnalytics.exe
-
Size
79KB
-
MD5
a540dfc809b23b92876f6353a6e76ed0
-
SHA1
9725b2b8f215442ff65df50efb551da8fb8f09ba
-
SHA256
e7eb62aab7a756b36f7b76741ca2a4168b95a4f840a4b492204d0cd2473a40d4
-
SHA512
8be6e9c266bb5c92722014e63bdd5cba11d44ee7faa89be5a8b0a16cf9762cfadf248c5e2691deb833edf3ba8b99332b1ac475abcadcb1de9ea09d0687aacfa3
-
SSDEEP
1536:zvK8wXOsol+f9OQA8AkqUhMb2nuy5wgIP0CSJ+5yqB8GMGlZ5G:zvKfNoQMGdqU7uy5w9WMyqN5G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3028 [email protected] -
Loads dropped DLL 2 IoCs
pid Process 3012 cmd.exe 3012 cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2916 wrote to memory of 3012 2916 a540dfc809b23b92876f6353a6e76ed0_NeikiAnalytics.exe 29 PID 2916 wrote to memory of 3012 2916 a540dfc809b23b92876f6353a6e76ed0_NeikiAnalytics.exe 29 PID 2916 wrote to memory of 3012 2916 a540dfc809b23b92876f6353a6e76ed0_NeikiAnalytics.exe 29 PID 2916 wrote to memory of 3012 2916 a540dfc809b23b92876f6353a6e76ed0_NeikiAnalytics.exe 29 PID 3012 wrote to memory of 3028 3012 cmd.exe 30 PID 3012 wrote to memory of 3028 3012 cmd.exe 30 PID 3012 wrote to memory of 3028 3012 cmd.exe 30 PID 3012 wrote to memory of 3028 3012 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a540dfc809b23b92876f6353a6e76ed0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a540dfc809b23b92876f6353a6e76ed0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c [email protected]2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3028
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\[email protected]
Filesize79KB
MD520779cf7cbb7876aa98ff31e22b4bb31
SHA1d341e244caa6381c99f7b9cc52d9ee0508ab7e86
SHA256d848fb325f6c56f5c4f77505395378944f64d975472ad5c3586a1b8f7485b9f3
SHA51246249dac8da372dea025cf0dbd58aa9e407c5ae3f5b3b44ff4b02e7f68881b5ab77c2b01424c1fa190de14dd972507f9775976de99cbfa9af219b8405df9a626