Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2024, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
-
Size
381KB
-
MD5
3aae5af860d2f47f0bc153f8fa450480
-
SHA1
cabb4f61af6ae426d42258b27c456ab1d2628d95
-
SHA256
9018c9aee7ca42cebdd775599d71707848ec3db4eee7d3e60e7b871d15cdcc47
-
SHA512
dd4c060a204ea49b6262cc646e6ebe8b627a957d8f5eaf42921746f25a2635e8871da26ead99bf14c83b7f36cffb6db349bc31931df146ed3cdf88fb246f04a8
-
SSDEEP
6144:XLZ/Jd7juqVo223CQjNY4T4G/+uOuKxvtpiO11y/ncfQiBIk:1/Jxj1KNXROuKh/GnQQiBIk
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1656 Logo1_.exe 3708 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe Logo1_.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\dotnet.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe File created C:\Windows\vDll.dll Logo1_.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5092 3708 WerFault.exe 89 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe 1656 Logo1_.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 928 wrote to memory of 752 928 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 83 PID 928 wrote to memory of 752 928 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 83 PID 928 wrote to memory of 752 928 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 83 PID 928 wrote to memory of 1656 928 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 84 PID 928 wrote to memory of 1656 928 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 84 PID 928 wrote to memory of 1656 928 3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe 84 PID 1656 wrote to memory of 4660 1656 Logo1_.exe 86 PID 1656 wrote to memory of 4660 1656 Logo1_.exe 86 PID 1656 wrote to memory of 4660 1656 Logo1_.exe 86 PID 4660 wrote to memory of 1544 4660 net.exe 88 PID 4660 wrote to memory of 1544 4660 net.exe 88 PID 4660 wrote to memory of 1544 4660 net.exe 88 PID 752 wrote to memory of 3708 752 cmd.exe 89 PID 752 wrote to memory of 3708 752 cmd.exe 89 PID 752 wrote to memory of 3708 752 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3B73.bat2⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"3⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 8284⤵
- Program crash
PID:5092
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1544
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3708 -ip 37081⤵PID:4208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD54d59d2b2ff92e3e3af89f89339396413
SHA16041749150b4ea8c98bb070163b352bca5a86699
SHA25690f41d47f57fa5c36b5733c51e6bf2dfbb6e8eee3bc94ea66a1456002f754d04
SHA512bddf8794f7f9737c7e13e741171899aae3b53e86477211e537e0774f0ab0bb9de5b92553e8d2166d58f28e2173735007166ee93aadbb2a204f42a03992d780a5
-
Filesize
620B
MD5d95a22aef46a4a293495e469a7bd50da
SHA13748df97ff7b581328c6e6b45c9510bf42266d89
SHA25666d21213be663b3c7ccbdddef6a3ac666838db455de4a3630bcf1eec77646121
SHA512baa4bc812fd89d16f3e267f4db695d801b3769dcbbeb8c51670884d1e30a12e2b9f0b61f2abad3a2c4949927085f67b05f7baa0a9e689309042a1eb8c63551a9
-
Filesize
315KB
MD5ed9689986286c0a0d60b7e6bffcb92bb
SHA14dea29b5fd3e3df0c47c0f4350138d328b411143
SHA25622d0773404852ce0895fc4d582674efc8e4a4f778136626280011ffc52bcc724
SHA5125704069388bc3f4e4bcd0a6d9017e5cfec5bdca7b5152b0d0d069c069227c91700028a937f3dea78afca7ec07ed518a16aefa94b3bb96dd22085ffe119746895
-
Filesize
66KB
MD55909f0b5ede88d776e3a30ccd6284a91
SHA1758db75ffd4ecfa1549e0b73b7c212af2936e758
SHA25659dced98f33dd7e7853041852b61d5f591b7925e2ea58429b4154a9d6204585a
SHA512b8ea963d25805e8fcb0e1ee6d05bb76b0fdae8486a2369b8181dc5a24b524f485e521fe121cde8f9bc650b9e6d2240ae6f41e7aa25cbfb895a9e8c736b6b1d08