Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 17:19
Behavioral task
behavioral1
Sample
25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
-
Size
1.1MB
-
MD5
25c4ce2ffaab5c90ab3db93da47824b0
-
SHA1
37d9b8295a2c01066da046cf0fdf52fff71e77e8
-
SHA256
72136e8310d637c30846aa80ddf9669fccef08c9ce42cc8015829e65a361da7a
-
SHA512
7e9437e5ef79ca2a19e6b57a057f45f8d273eaad011a1207d545d2c3c0d2cf009216c5263709831b6a9e7bbfc91877b356a72bef7367c9a3651aaa239466001c
-
SSDEEP
12288:xGIqOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+K:xPnajQEPnvg6PhWDC750K
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000800000002327d-6.dat aspack_v212_v242 behavioral2/files/0x0007000000023451-23.dat aspack_v212_v242 -
Executes dropped EXE 4 IoCs
pid Process 3320 MSWDM.EXE 3348 MSWDM.EXE 4072 25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE 1396 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe File opened for modification C:\Windows\dev474A.tmp 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe File opened for modification C:\Windows\dev474A.tmp MSWDM.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1488 4072 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3348 MSWDM.EXE 3348 MSWDM.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4072 25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE 4072 25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE 4072 25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE 4072 25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1792 wrote to memory of 3320 1792 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe 82 PID 1792 wrote to memory of 3320 1792 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe 82 PID 1792 wrote to memory of 3320 1792 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe 82 PID 1792 wrote to memory of 3348 1792 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe 83 PID 1792 wrote to memory of 3348 1792 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe 83 PID 1792 wrote to memory of 3348 1792 25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe 83 PID 3348 wrote to memory of 4072 3348 MSWDM.EXE 84 PID 3348 wrote to memory of 4072 3348 MSWDM.EXE 84 PID 3348 wrote to memory of 4072 3348 MSWDM.EXE 84 PID 3348 wrote to memory of 1396 3348 MSWDM.EXE 88 PID 3348 wrote to memory of 1396 3348 MSWDM.EXE 88 PID 3348 wrote to memory of 1396 3348 MSWDM.EXE 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3320
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev474A.tmp!C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4072 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 14204⤵
- Program crash
PID:1488
-
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev474A.tmp!C:\Users\Admin\AppData\Local\Temp\25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1396
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4072 -ip 40721⤵PID:112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f70ae5f69c8e4e4eae671067c6e15ca3
SHA1692e1a6ef388506108570ef1715e6217b90b806c
SHA256af95a8605a0b147f4b40881a13b61fa5f7d45df9685bba7f24277f23832db82e
SHA51212b40bfb30c408f07b5ac1ffbbaffe58343c397b19de8899917de94480254b3005ea7f7d83932f7fc0d557158a86a639c2d9f024a05b7a6ab52432e92507f4c9
-
Filesize
39KB
MD554f0aee171995aebdb1eb063789085c5
SHA1a1cf32099b88b75a8b08e7667909478194be84cc
SHA256976ee774d60fb66dfb9e38140a8933747a9a583f59ad58e02eb280c5f47efef9
SHA512405b6978cfee79bbdec3b2b6ae9ae98c985c42330963677edaf106f34cbab126bcab845252ee7f08b8e8ef4269f1a900c45f6ba8ef1c7bec050e657b0551d594
-
Filesize
1.1MB
MD5b0375fadbb808beaf33971aa2b1b56e2
SHA12b978167e0b264e7dd3484c61df8b31799f6867f
SHA25692efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33
SHA5128e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58