Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    80s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2024, 05:15

General

  • Target

    3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe

  • Size

    381KB

  • MD5

    3aae5af860d2f47f0bc153f8fa450480

  • SHA1

    cabb4f61af6ae426d42258b27c456ab1d2628d95

  • SHA256

    9018c9aee7ca42cebdd775599d71707848ec3db4eee7d3e60e7b871d15cdcc47

  • SHA512

    dd4c060a204ea49b6262cc646e6ebe8b627a957d8f5eaf42921746f25a2635e8871da26ead99bf14c83b7f36cffb6db349bc31931df146ed3cdf88fb246f04a8

  • SSDEEP

    6144:XLZ/Jd7juqVo223CQjNY4T4G/+uOuKxvtpiO11y/ncfQiBIk:1/Jxj1KNXROuKh/GnQQiBIk

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3B73.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"
        3⤵
        • Executes dropped EXE
        PID:3708
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 828
          4⤵
          • Program crash
          PID:5092
    • C:\Windows\Logo1_.exe
      C:\Windows\Logo1_.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\SysWOW64\net.exe
        net stop "Kingsoft AntiVirus Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4660
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
          4⤵
            PID:1544
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3708 -ip 3708
      1⤵
        PID:4208

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7zG.exe

        Filesize

        750KB

        MD5

        4d59d2b2ff92e3e3af89f89339396413

        SHA1

        6041749150b4ea8c98bb070163b352bca5a86699

        SHA256

        90f41d47f57fa5c36b5733c51e6bf2dfbb6e8eee3bc94ea66a1456002f754d04

        SHA512

        bddf8794f7f9737c7e13e741171899aae3b53e86477211e537e0774f0ab0bb9de5b92553e8d2166d58f28e2173735007166ee93aadbb2a204f42a03992d780a5

      • C:\Users\Admin\AppData\Local\Temp\$$a3B73.bat

        Filesize

        620B

        MD5

        d95a22aef46a4a293495e469a7bd50da

        SHA1

        3748df97ff7b581328c6e6b45c9510bf42266d89

        SHA256

        66d21213be663b3c7ccbdddef6a3ac666838db455de4a3630bcf1eec77646121

        SHA512

        baa4bc812fd89d16f3e267f4db695d801b3769dcbbeb8c51670884d1e30a12e2b9f0b61f2abad3a2c4949927085f67b05f7baa0a9e689309042a1eb8c63551a9

      • C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe.exe

        Filesize

        315KB

        MD5

        ed9689986286c0a0d60b7e6bffcb92bb

        SHA1

        4dea29b5fd3e3df0c47c0f4350138d328b411143

        SHA256

        22d0773404852ce0895fc4d582674efc8e4a4f778136626280011ffc52bcc724

        SHA512

        5704069388bc3f4e4bcd0a6d9017e5cfec5bdca7b5152b0d0d069c069227c91700028a937f3dea78afca7ec07ed518a16aefa94b3bb96dd22085ffe119746895

      • C:\Windows\Logo1_.exe

        Filesize

        66KB

        MD5

        5909f0b5ede88d776e3a30ccd6284a91

        SHA1

        758db75ffd4ecfa1549e0b73b7c212af2936e758

        SHA256

        59dced98f33dd7e7853041852b61d5f591b7925e2ea58429b4154a9d6204585a

        SHA512

        b8ea963d25805e8fcb0e1ee6d05bb76b0fdae8486a2369b8181dc5a24b524f485e521fe121cde8f9bc650b9e6d2240ae6f41e7aa25cbfb895a9e8c736b6b1d08

      • memory/928-6-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1656-14-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1656-15-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1656-17-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1656-19-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1656-144-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1656-162-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1656-209-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/1656-221-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/3708-12-0x0000000000340000-0x0000000000392000-memory.dmp

        Filesize

        328KB

      • memory/3708-11-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

        Filesize

        4KB