Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 22:58
Behavioral task
behavioral1
Sample
09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe
-
Size
41KB
-
MD5
72dbeca798291c492554876ca9096030
-
SHA1
29c2d9a92b09408503f011aa4dc7958e90fd26b4
-
SHA256
09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e
-
SHA512
1cb5b93365aaa294d3c22fdb1e4da59804b46b76c6ef8ab780cff720ad25f2d143bdcad1607ddaff7ca4827e158bb3a7727ac6ed96c3c1526315b447c75b2184
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2784 services.exe -
resource yara_rule behavioral1/memory/2328-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2328-4-0x0000000000220000-0x0000000000228000-memory.dmp upx behavioral1/files/0x000a000000013425-7.dat upx behavioral1/memory/2784-10-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2328-16-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-30-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-35-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-42-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-47-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2328-51-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-52-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-54-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0005000000004ed7-67.dat upx behavioral1/memory/2328-78-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-79-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2328-82-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-83-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2328-84-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2784-85-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2784-90-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe File opened for modification C:\Windows\java.exe 09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe File created C:\Windows\java.exe 09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2784 2328 09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe 28 PID 2328 wrote to memory of 2784 2328 09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe 28 PID 2328 wrote to memory of 2784 2328 09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe 28 PID 2328 wrote to memory of 2784 2328 09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\09e3d74b2c36b8ae95034cb980749a14549bc8a48efbbc33a5f822a7ad5c332e_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD52d371d80bab241db96aace805acdece3
SHA175c255b77c0b4d0a77639cf916e0eedb35c9379e
SHA2567f63403aa072fb34356a4d5b5f3502c5b83f2d568fc85831db6ad51ec1d134b5
SHA5122df8e87b37c2487013b3e4a83cb82f7f38af89e9cc5888b2eb9ee281bf299d2d19134dbab6c35d3db5ee37b4f79a9d6c354b276eb0c2d80627a3165df6a8ea42
-
Filesize
160B
MD502aa4524f0ef4faf4c0d915814061405
SHA189ea94b65723746832394be420e85ee3932a1d79
SHA256f7e5e649b9baff5fc4f62e8973c92f0c2955c88704672e5737fb8a6752a80128
SHA5125f40455880fd44904fe16afbcf9f158341bf452a444aabad3c5f5bc1aa5f2c8cdcbe37a71d92e7afd5a8804b399b9fa45b63400a971378215d2e8f7b07521424
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2