Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 10:10
Static task
static1
Behavioral task
behavioral1
Sample
7a9ef8bc0b25c451328716cd7ccfb2715313e45b8f42bdb725a4e07d1fcc039c_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7a9ef8bc0b25c451328716cd7ccfb2715313e45b8f42bdb725a4e07d1fcc039c_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
7a9ef8bc0b25c451328716cd7ccfb2715313e45b8f42bdb725a4e07d1fcc039c_NeikiAnalytics.exe
-
Size
784KB
-
MD5
14d80c67380942f50a1a0114ccce7590
-
SHA1
583d9e530c224bb043d5a74f99e6111c8f3096c5
-
SHA256
7a9ef8bc0b25c451328716cd7ccfb2715313e45b8f42bdb725a4e07d1fcc039c
-
SHA512
6fba9e27f209d2362eb25343d35dbac5fb2cb3ce6cd6171f6bca005f9f2b436f09c9dabc29cdc87fb490197ee73cda2acce10b703631fb6c90e4017d205fb510
-
SSDEEP
12288:4jauDReWsTfI0Wq8OW4yc0FehQBbj5xW/HR/68lr+t4vLFt7X04uPuR7GbRErgcF:4DD0DN8TWxrFgrYTW98
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 960 ywrbih.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\ywrbih.exe" ywrbih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 628 wrote to memory of 960 628 7a9ef8bc0b25c451328716cd7ccfb2715313e45b8f42bdb725a4e07d1fcc039c_NeikiAnalytics.exe 82 PID 628 wrote to memory of 960 628 7a9ef8bc0b25c451328716cd7ccfb2715313e45b8f42bdb725a4e07d1fcc039c_NeikiAnalytics.exe 82 PID 628 wrote to memory of 960 628 7a9ef8bc0b25c451328716cd7ccfb2715313e45b8f42bdb725a4e07d1fcc039c_NeikiAnalytics.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a9ef8bc0b25c451328716cd7ccfb2715313e45b8f42bdb725a4e07d1fcc039c_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7a9ef8bc0b25c451328716cd7ccfb2715313e45b8f42bdb725a4e07d1fcc039c_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\ProgramData\ywrbih.exe"C:\ProgramData\ywrbih.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD52e8044314aa083f9b896848ccf76942b
SHA1818c20ced13bd336d49b335628d3ec42b4222032
SHA2560cabae06ec2aefeb0088f63cefa2bc2f4acadd280f9b87585ee41ab63aa88321
SHA512c147c1f1645dba7e9acdf02065caf34778dd9893ba88fddee6a1aade0d137602d850d06c06772dacece52a91caaf4f204619901bd20590e42181e6e81edf48ab
-
Filesize
136KB
MD5cb4c442a26bb46671c638c794bf535af
SHA18a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3
-
Filesize
647KB
MD521ed61375199bb3b1a27721abbbf54f0
SHA1643ae403edb6af2949dc1778fc644b727447442c
SHA25611f0e89b72fc62658c3a36363a40ee31c9875e2293853238063e91b4a2e50a3c
SHA512dbfbccefe92c9d5bff4b35b6c6956981da39d6d8108e26d06e87ddffa6e6dbba1d5b36433086c7e94e1de1a58ccbd3160d44f3d9b783e792b131d48f337598e3