Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/06/2024, 16:11
Static task
static1
Behavioral task
behavioral1
Sample
6b1c5fafb42b37cb091346d564480bc0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6b1c5fafb42b37cb091346d564480bc0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
6b1c5fafb42b37cb091346d564480bc0_NeikiAnalytics.exe
-
Size
79KB
-
MD5
6b1c5fafb42b37cb091346d564480bc0
-
SHA1
8cce94e7aafdd020318bdfbd00c3bdcda8902eec
-
SHA256
fe4fa7305de0aede7733cbb11d57a45d5a57fe79d0713e26a59e620421f71fa5
-
SHA512
74e149c0d97d322fe021730a9544763a6cd65346f8d570b7c6351464111723ef7b7297ba0e4bdb8a863aea27131c8f6e7c4ce1211ac0765e965779834d9f06b2
-
SSDEEP
1536:zvmkZZZb2LA41Wq6OQA8AkqUhMb2nuy5wgIP0CSJ+5y/B8GMGlZ5G:zvmq2LCCGdqU7uy5w9WMy/N5G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2680 [email protected] -
Loads dropped DLL 2 IoCs
pid Process 3004 cmd.exe 3004 cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1368 wrote to memory of 3004 1368 6b1c5fafb42b37cb091346d564480bc0_NeikiAnalytics.exe 29 PID 1368 wrote to memory of 3004 1368 6b1c5fafb42b37cb091346d564480bc0_NeikiAnalytics.exe 29 PID 1368 wrote to memory of 3004 1368 6b1c5fafb42b37cb091346d564480bc0_NeikiAnalytics.exe 29 PID 1368 wrote to memory of 3004 1368 6b1c5fafb42b37cb091346d564480bc0_NeikiAnalytics.exe 29 PID 3004 wrote to memory of 2680 3004 cmd.exe 30 PID 3004 wrote to memory of 2680 3004 cmd.exe 30 PID 3004 wrote to memory of 2680 3004 cmd.exe 30 PID 3004 wrote to memory of 2680 3004 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b1c5fafb42b37cb091346d564480bc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6b1c5fafb42b37cb091346d564480bc0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c [email protected]2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:2680
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\[email protected]
Filesize79KB
MD5ac2b834190b5db2c6ee8f89cd831632d
SHA11ca59632d11ae4281dbb6ed45343f3636ba27f14
SHA2566f4eb35b6fac44db2d68211c4fc16a180cff9c1aac75d8a7b31ff0a440afb700
SHA512662b53a51ba1eda2fecd6d32935722482175b27525482f59a56e18fd4c4603255baea9ad3bba9f413dc9791eaa5f0bc9ec0f892d24bc249321f6089694006bb0