Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe
-
Size
80KB
-
MD5
a8e80107d8d1e64b2e2a1aa7683f3e70
-
SHA1
cf73995377c48a5e8a22a70d1ec04fa0e25e9891
-
SHA256
8a4909edd9fc35b36e7ae79908cb83dbd4d81629691f2a00667a81f03c8d54a4
-
SHA512
dc5069c8da735c2675fc83a725663ad8f7e9865e7703c6277de39a19888addecd0da02fc6670752d593ccc3cc2fa4b6e395abc6595bc0540b050a2ce8bf037d7
-
SSDEEP
1536:jIr3YriYiUi+H++o1eVlXd+8c0GXmvJJNHjLwl50fP5jy:jyYti0pXd+8c0GWvJ3Hvwl52W
Malware Config
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 1464 huter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2552 wrote to memory of 1464 2552 a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe 93 PID 2552 wrote to memory of 1464 2552 a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe 93 PID 2552 wrote to memory of 1464 2552 a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe 93 PID 2552 wrote to memory of 3628 2552 a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe 94 PID 2552 wrote to memory of 3628 2552 a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe 94 PID 2552 wrote to memory of 3628 2552 a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a8e80107d8d1e64b2e2a1aa7683f3e70_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:1464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1032 /prefetch:81⤵PID:3304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD593c65a2d29a3f6fc7c703df149637d7f
SHA1a4a27b2eec41990a52a2920818cf940e80fa358d
SHA25675921ea4058e7f9781fed2c5fe0263052d5eb3b192cf5f9fc0e314487d41d5db
SHA5127a22bbda614ee62db2b90a970b6ce67f54fbd7fe6babd77977c0c712d65544db698e7390f97b533912b660ac8f92b05d21d60d07e014a1e1810d25faa24ab176
-
Filesize
80KB
MD5712a5ec3a78dd3f777ca1e3cd1550c57
SHA1624fa61ea503a0fff9548d98f45b867b995940d6
SHA25647da154907e3facc12c7e4176cd2131845dc35dc0f4af6a355dc55a8ccc3e0ab
SHA512ca15e4af3967b7e1338d8daefa7d6d5bbaa3040e0dbef40840a1b32f36bbcdfb12cef84a64f959cfaa6f0bec413368bc8c2f55e68d36c8146b92fd20f795e8b2
-
Filesize
304B
MD52bc3da99a958a57083dd07a7b0823eef
SHA1bfcec9488ec7484aec54d5c20e4971d22d580f0d
SHA256d93e25fb931692d94b7ddf7f0c5fea39e02b8740c5a596b85a296b008f228f7c
SHA51228ea1bf949d2ed603ce02dd3e7dafe3b99b08c8ecab13696023398458ca8d8aea1257322d735c0213df1515e3d6c2ab3eb82e1e016e93674e84a83ef76889a94