Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 20:02
Behavioral task
behavioral1
Sample
f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe
-
Size
29KB
-
MD5
f8eb659ae3b31e44ff369f42b7266460
-
SHA1
c788e5681cd8590bf08f2c2d920528a59f46fff2
-
SHA256
a10d22f265291dcca5b3da0f9889f9a8d4972f7953e96fcd72a4b6b53e3db522
-
SHA512
0824c10c91151cd6436fb697edfce0b68bb915c7bd51a2e7be3dfbfed3f3fe705491da9f4fc45775121c3eac02eec64d1fe1046f169b890c63779af77974b95f
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Zy:AEwVs+0jNDY1qi/q0
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
pid Process 3432 services.exe -
resource yara_rule behavioral2/memory/3780-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x0008000000023423-4.dat upx behavioral2/memory/3432-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3432-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3780-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3432-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3432-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3432-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3432-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3432-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3432-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3432-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3780-47-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3432-48-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0004000000000705-58.dat upx behavioral2/memory/3780-151-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3432-152-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3780-276-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3432-277-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3780-280-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3432-281-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3780-282-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3432-283-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3780-323-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3432-324-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe File created C:\Windows\java.exe f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3780 wrote to memory of 3432 3780 f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe 82 PID 3780 wrote to memory of 3432 3780 f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe 82 PID 3780 wrote to memory of 3432 3780 f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f8eb659ae3b31e44ff369f42b7266460_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
109KB
MD513e713cc8f76882175affc7c7bcce956
SHA17fe9bd304e4e0fddaff0483d8b971a022a332c78
SHA2564072ed7bafb6ff3765dd20b8cb6d979d2e8ee70840a2e025f9c1bbad8a3f97c8
SHA51282219d4d2c7b500eecb27ab2da335194d1f68bbdfa7c8684d598bb543bbc1e4902b1069804373e219a1f75b641a924448f83c73af11163236998c3ab611e68b2
-
Filesize
142KB
MD5c0af7b803b322a41ab397044f9d58c2e
SHA16eb172072cea2e5de5c9193966ff46f65c3d4fa0
SHA25690778df46ec8c1609dde6017bf6717f13de88e6b81c8fd5ee3837bd0e5f0a61e
SHA512e943d7b5b653ae3b29722164c4b55480ad4877ddaac07fc5db807f8c0c4a6015e22f7f73841294a5ed5b087b7359ae57cd3509c0db98d63a46775965594058ce
-
Filesize
176KB
MD533886fd75ed78a8d1a0e23831e0c3296
SHA13eafbe0ceefc14674c94ae5f2d83d64d6c1068d3
SHA256f80e7abcb8cd35eede2fd1d1145043c5abfb5126ea117ce12f9bc8477e3987b8
SHA512c48e03dc9d583cea18c18d140e89198bc563fc8b95b7b82b7d58c88cc3aea5c3da1a0dd65384e10dc9e76850ec131a6b400dc17bb6cea958c0a2ec8710d36e7c
-
Filesize
112KB
MD5114fe213e4b85727fc089ea9b27c2779
SHA1accc01f3b0faca1ee3cf300505325118297f60b5
SHA25684746e38b2bd7fe2ef0c8bd163fdea4ebf7632e1333283ee34a4a890dd07d0d1
SHA5124e101b07cf053f8693570ca52e9f41ed20c7a99121b7c9068795f20f39af016ec284532f859ee53d6efd17133df4d874d1e4d717b64af430a770ca3e27320807
-
Filesize
133KB
MD5232a39f41e3093d23d2ef3535f645289
SHA13f4f36fa68b350e4ac9f30d48e307c609ac424e3
SHA256bedd98bdf490aad31fa384037c0984d67a4a4b815f7a435ef6ecd74818c5e1f7
SHA512be6fa318f6f9c59a47ca1b0b0a3ee160919f54e54b8a97029eb56bb9863b88c22ab8602a409be58798212dbf4dc3edf38b42f60cae4fe22486ec6459236e1c69
-
Filesize
112KB
MD57a63798b81769066981f19387a92ec53
SHA14439c34e35fb4e4949634ef8d60a9d2418fba186
SHA2562d853df8996314385d9291bfe5ad464bc9e808ec68669de23c9badbb30986fce
SHA512d6fd06d02a2dfef0d3a004211fbf513c1e1b39b132ca2285b3ddc5b002e092d440926019185ed8fd54f0fa5d46aa9c8bda896a446f4930b91cccc0aeb2d4cd97
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
29KB
MD54b966de069998489f5bde2fc5d05f4e8
SHA1d7a3b4c342a60c9a388a56d769459a43b76b502b
SHA2567149f634f5533bc00dc64a5f9de1c4dad362784149b7fc37cccb4a836f89206e
SHA5128c487b5d75732fe7ce8aa112dcc03c32bd52fe2d33cf7e0d921e4260fe2481c013d50b9b13d1584553e0904a5e1030a253a345414dd8800628c4bd5cda611160
-
Filesize
352B
MD53800d536812e09af813894ee839274f5
SHA1c44b2cb032bc43d3fa8ed4e5d38bb8f889d1c067
SHA256f1e14015426d37e270464f6a1fcb428a7bb08443816ef8b628a19f7fe1ac67f6
SHA512ed9980b630a5d9fac256ad55e8b3496d01dac291f0344c3240a71d3b4043ca55a044d402ec6bd3524037d7e112fbe472229d4fcf777404136f0ff2aba000126a
-
Filesize
352B
MD5c8a59edd93bbd8ecdf8a4e67d8afa2e1
SHA1db734933c57ead80331bb9d2a760da99f78274c1
SHA256d1d4de43376ca93fbfa8458c966440106471a7681b9459fe6c6f79b014cd1da2
SHA5123d6fa72e112836f99f4550135612b01f20f4ccdfffce79eb746f0889a18a0f19847ab69c276121a994cbd72f57a9a499e46e3e9667223c9745cc7399d00599a8
-
Filesize
352B
MD5f030e953d144b748bcc6502331d1e395
SHA1e89572b2a041bac74d4250435c90b0884208512c
SHA256b81f4618b7ccc3146fc1e288a17087a0b3ccc35e1158052cb49a1751298935c5
SHA512db3300e8286ad465ad49c0c49dbe41172477a6e635c3c2cd526f2776554ede8f8afd9d72e9d9b29cd44975e320d9a7a3faf4fe5d99592ac109953a7e6064aef7
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2