Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/06/2024, 05:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
-
Size
381KB
-
MD5
3aae5af860d2f47f0bc153f8fa450480
-
SHA1
cabb4f61af6ae426d42258b27c456ab1d2628d95
-
SHA256
9018c9aee7ca42cebdd775599d71707848ec3db4eee7d3e60e7b871d15cdcc47
-
SHA512
dd4c060a204ea49b6262cc646e6ebe8b627a957d8f5eaf42921746f25a2635e8871da26ead99bf14c83b7f36cffb6db349bc31931df146ed3cdf88fb246f04a8
-
SSDEEP
6144:XLZ/Jd7juqVo223CQjNY4T4G/+uOuKxvtpiO11y/ncfQiBIk:1/Jxj1KNXROuKh/GnQQiBIk
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2892 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2944 Logo1_.exe 2648 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe -
Loads dropped DLL 6 IoCs
pid Process 2892 cmd.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe File created C:\Windows\vDll.dll Logo1_.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2920 2648 WerFault.exe 32 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2944 Logo1_.exe 2944 Logo1_.exe 2944 Logo1_.exe 2944 Logo1_.exe 2944 Logo1_.exe 2944 Logo1_.exe 2944 Logo1_.exe 2944 Logo1_.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2892 2744 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 28 PID 2744 wrote to memory of 2892 2744 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 28 PID 2744 wrote to memory of 2892 2744 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 28 PID 2744 wrote to memory of 2892 2744 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 28 PID 2744 wrote to memory of 2944 2744 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 30 PID 2744 wrote to memory of 2944 2744 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 30 PID 2744 wrote to memory of 2944 2744 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 30 PID 2744 wrote to memory of 2944 2744 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 30 PID 2944 wrote to memory of 2624 2944 Logo1_.exe 31 PID 2944 wrote to memory of 2624 2944 Logo1_.exe 31 PID 2944 wrote to memory of 2624 2944 Logo1_.exe 31 PID 2944 wrote to memory of 2624 2944 Logo1_.exe 31 PID 2892 wrote to memory of 2648 2892 cmd.exe 32 PID 2892 wrote to memory of 2648 2892 cmd.exe 32 PID 2892 wrote to memory of 2648 2892 cmd.exe 32 PID 2892 wrote to memory of 2648 2892 cmd.exe 32 PID 2624 wrote to memory of 2612 2624 net.exe 34 PID 2624 wrote to memory of 2612 2624 net.exe 34 PID 2624 wrote to memory of 2612 2624 net.exe 34 PID 2624 wrote to memory of 2612 2624 net.exe 34 PID 2648 wrote to memory of 2920 2648 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 35 PID 2648 wrote to memory of 2920 2648 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 35 PID 2648 wrote to memory of 2920 2648 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 35 PID 2648 wrote to memory of 2920 2648 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a73F8.bat2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 5404⤵
- Loads dropped DLL
- Program crash
PID:2920
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2612
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
620B
MD5e92c7807863c633f80ad256e7a5de25f
SHA1845be14874d1d79e60f54092b81cdae724289520
SHA2562ffe4096ec6a5847186269f81d78dd1c0db49e9a5e0c02496808dc2f7a917f5f
SHA5122a690344eb3d988684cefe5884e47ef8bba94f16d812876be62b05426c739b69d2a12f2bb9778d3a9e2258a52afcd8d7fcb0d0608cb617ac35383842e94d9679
-
Filesize
315KB
MD5ed9689986286c0a0d60b7e6bffcb92bb
SHA14dea29b5fd3e3df0c47c0f4350138d328b411143
SHA25622d0773404852ce0895fc4d582674efc8e4a4f778136626280011ffc52bcc724
SHA5125704069388bc3f4e4bcd0a6d9017e5cfec5bdca7b5152b0d0d069c069227c91700028a937f3dea78afca7ec07ed518a16aefa94b3bb96dd22085ffe119746895
-
Filesize
66KB
MD55909f0b5ede88d776e3a30ccd6284a91
SHA1758db75ffd4ecfa1549e0b73b7c212af2936e758
SHA25659dced98f33dd7e7853041852b61d5f591b7925e2ea58429b4154a9d6204585a
SHA512b8ea963d25805e8fcb0e1ee6d05bb76b0fdae8486a2369b8181dc5a24b524f485e521fe121cde8f9bc650b9e6d2240ae6f41e7aa25cbfb895a9e8c736b6b1d08