ٝ@�~&�2%���s\�Nї��Z^�y����w��|�=��KC ��pG�g!�j晃�I��l,���7#�1�� ����}3Xx}M�+<wl����?_��sI�<l[ �0��x�c�k�y��X8���P��1t�V�=��N��2ɹ�ƫ�s��SP��[��}-�Ͱ|H�9JhuE��r(�?ee�AnY֝���L�F�@!�����x�ny�;49���=y�*��ħe��~�9�H�zԖdlDQ�ɧ���m�B��F��VD���Xf��9��r��f��w? WB� �y�Ό��A��XS�P]�� ���% �Ka[/A�}�0ŀ��\����?�]����H1e��S� 3�ԍ;˻�t��dWib �.� k(��X��W�@u;�~o�� Z�o�n{�5�u4� ��� ���֨�oJfZ��Ķ,�#g��I.�-sY7���&H�d9~m���^��U�]���k���?N�Pz�_���6��w%�3�Y �rP�������n�|rC]�VL���3�R�'8��,ֵ.�4����ߙo�w�@t"���������w;��rr(+�c�R�Y"9��aY�^#�[����G�>֡��W<��K����`L$�h��ߜ��1�~Z���*:{T�2m6���2�=���[d���8��<���#g�<���5�̌}���p{��� :�y$ K�ٕ>�d{n�⼢�r��ݥ��/z!�;�`W�5YhuT��1��+�u�3ɶl����ą�5 �Y͐�w�D�BIJ���� I:mƒݔy�%9�Pr�l�p� :�'�C����0hޚ�}�����T���͝.VmP��V};=d����.0�L"`?��&�;��/ݘ�|�3VVk?b���f���� :5^���Jh�l������[6z��2��=H��%nM�Zݚ��\�sd&�H�O)y�0�bY)�%�2G����D����D�f�\�-g�pX�#�K\Pi���,=���0M����ɰL�b���R�ı+ۄ�X�@5k^���N�� ���8��:��G�(m����lE*���/��#� ����|BS���I<B������dID��� ���%��@�'�����N7:�Z?]�Ű5���5�t$��7���h��@?|*x-uX?o$�Ϯ�I�sǼ,@����;��%Bqs���m>�\qұ$�����t2�,�(b �(#B��8����K��QE",�����N�=�y2e��{]�U�X!��۬�#XJ����6����ݢ9� ��A���֝�o�1i�+$0���$�*�����F���Dv#��yk����+�B1�J�#g�r�_��{p@��m�;^��V�v{�{��a\=��=\�|w�<�y" 0��P� �H?�/�e�I�Z6**t���p�Q��y�Vh�����u�}��Mhl�����vY�鋊 n=��+��-�<���<�|P�]��a̫eJ�w��@uڡ%/�(~9�znM�)�8 v�e�[+.e�Ľ7�H�6��2W| q%��W��<;��KT�ݎ�l�E�g�"AB��%��4��]��{\._��;��!�j`>&d�!Q�`!�͖�x�\(�no;�����K]����Y�s�S�ю��bc�d���(�^%/藏��V$��dkG^S�П�b�W���8ս��<�I��T�Xg��x����`����. ��g3��,�}p�*l1��}m �"q"�?�ԇ�srpbo[���Q�r����U�����T�Y�-x8�G �V�~d��{>�0U�m?��B4����̕�������9w�=�~�]T�&J*h���_ìfҮ+m}�li�=)��m%Q��D 7��a@XJ�ŗ����){@� !đ�b� z�dܿ'�^�~_T��������9���t�L�g�6,�ط�����"����)A�F�|�ٱ�FgQD��in���s�� �`�{�{���r�4@)\���Q�DS�(L� ZL �@Xo�@����; �љzPG�8�}�c0�L!_�ed����b��b�<H0O����N����biH\-w,�����$���Zk�g�@�J����^�����UN�p'�&�A��E�v�&Ea=�lr�L/�w<���!$��`�zTB�x��F��9�D!��V����_��J�w��iN��n�?���BR�|��������h�5���2�הI �!�f(SG�����MP��M��L�T���-:� ��Q����G�<� ��B�W�z�M�k�)/��mt�2A�0�����#8�k�@ы��'<�5�}?��2#�����i�B�Iݨ1��ـ�u��!�FVt/+��6m��7F��m&�t �l����4�qg��ȫke/���zu\r�����[9#V Xޮ��ĵ�QU ^È7ag���9�܆��.V��Br۾��)1-�ĝ8+�N*w/��u'��Qm����w���������cƤF���y��¦���3�]�k<�J���?��+�a�~����~I�ӳr�i��onҼDr5���"�4���O'�)z���4Ee)K��Y��d�2E��9�yY4���B)h���ig*�!�����jU[:zx:���X������<����ݧeS�-���3�rd���Ϸ� !��&��ݦ�Ml��f!{&��:��p̾�i��AT<��D��EK�ȇ���&�~ ����`j8k��+ǿ�v��@~����~��E�~n����g��(S�.���k�D�A���J�~l�辖�7�V���i6o]C��q��.N����C_$\p9�;���u-��O�8��@Yʫr�J+�K$�{X��~�M..��1�-�5�Q.�q�^�k�]Ry�L��H����, ��?����)i�8v�i"Cq�߳L�[qU2]�(�d|��y(���g?�.����_�8v��[Lݍ�M��F��͠�V��C�3C����}�QH���������t��:���S��}ɢR�d��J����& ��������+t�����2�XX.�Z`I1�Te��jg,D����rգ�!�(dW]�`L�po�ս���D
Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Behavioral task
behavioral1
Sample
1ad0fcbac8e07c99eb04aed7cd82c810_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1ad0fcbac8e07c99eb04aed7cd82c810_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1ad0fcbac8e07c99eb04aed7cd82c810_NeikiAnalytics
-
Size
6.6MB
-
MD5
1ad0fcbac8e07c99eb04aed7cd82c810
-
SHA1
1218ea6997dcd5b068fba9b5a280dd52af966776
-
SHA256
38dee908c466db3c12eab004c16390b7b2a6f69f5fd032e519628093876b54fa
-
SHA512
c9257387699ce0127901decae982ed195ff26af1037074bc120b4e9720100bf967555a72c09949f2c826e7331792abc4680d73b64b62fe7379bb1a8ac851429b
-
SSDEEP
196608:3U7jFovYH+EEPS5Kk+bIQv4U6g+1iSs4B1t0vBsa:k7jUYH+ESS5KkSIQ2cSs4
Malware Config
Signatures
-
resource yara_rule sample vmprotect -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 1ad0fcbac8e07c99eb04aed7cd82c810_NeikiAnalytics
Files
-
1ad0fcbac8e07c99eb04aed7cd82c810_NeikiAnalytics.exe windows:6 windows x64 arch:x64
d7d01ae606ef1e19441af8eaa90bbc36
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
d3d11
D3D11CreateDeviceAndSwapChain
d3dcompiler_43
D3DCompile
kernel32
SleepEx
FlsSetValue
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress
user32
ShowWindow
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW
advapi32
CryptCreateHash
shell32
ShellExecuteA
ole32
CoCreateInstance
msvcp140
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
imm32
ImmSetCompositionWindow
ntdll
NtRaiseHardError
d3dx11_43
D3DX11CreateShaderResourceViewFromMemory
urlmon
URLDownloadToFileA
normaliz
IdnToAscii
wldap32
ord22
crypt32
CertAddCertificateContextToStore
ws2_32
gethostname
rpcrt4
RpcStringFreeA
psapi
GetModuleInformation
userenv
UnloadUserProfile
vcruntime140_1
__CxxFrameHandler4
vcruntime140
__intrinsic_setjmp
api-ms-win-crt-stdio-l1-1-0
fread
api-ms-win-crt-utility-l1-1-0
rand
api-ms-win-crt-string-l1-1-0
_strdup
api-ms-win-crt-heap-l1-1-0
realloc
api-ms-win-crt-runtime-l1-1-0
_get_narrow_winmain_command_line
api-ms-win-crt-convert-l1-1-0
strtod
api-ms-win-crt-time-l1-1-0
strftime
api-ms-win-crt-filesystem-l1-1-0
_fstat64
api-ms-win-crt-multibyte-l1-1-0
_mbsicmp
api-ms-win-crt-environment-l1-1-0
getenv
api-ms-win-crt-locale-l1-1-0
_configthreadlocale
api-ms-win-crt-math-l1-1-0
sinf
wtsapi32
WTSSendMessageW
Exports
Exports
Sections
.text Size: - Virtual size: 1.2MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: - Virtual size: 511KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: - Virtual size: 1.5MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: - Virtual size: 53KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.vmp0 Size: - Virtual size: 3.3MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.vmp1 Size: 6.6MB - Virtual size: 6.6MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 512B - Virtual size: 469B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ