Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 15:07
Static task
static1
Behavioral task
behavioral1
Sample
0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
0abaf7fd668ec7b2ba52cd03decc2ac0
-
SHA1
e3aedc7dbf93de4a070e945530324298fa44febe
-
SHA256
c6be66b6789888d1911e750c17f00307c83a5c951e90c172c0657a6d5283e2ac
-
SHA512
57055f0f4011fca910b3fb93fc59c1fc6b1ff55d9b0f22e014a8dd5dafde0c685955bab4ada73cfef71877f0ac711cd5fb0450024364c3b8c0495dec3ae26482
-
SSDEEP
384:jL7li/2zNq2DcEQvdhcJKLTp/NK9xaM7:ndM/Q9cM7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 3568 tmp50A1.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3568 tmp50A1.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 352 0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 352 wrote to memory of 1436 352 0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe 87 PID 352 wrote to memory of 1436 352 0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe 87 PID 352 wrote to memory of 1436 352 0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe 87 PID 1436 wrote to memory of 2216 1436 vbc.exe 89 PID 1436 wrote to memory of 2216 1436 vbc.exe 89 PID 1436 wrote to memory of 2216 1436 vbc.exe 89 PID 352 wrote to memory of 3568 352 0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe 90 PID 352 wrote to memory of 3568 352 0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe 90 PID 352 wrote to memory of 3568 352 0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cwymdrdp\cwymdrdp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5294.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D049DDDD2A5412A8C6EC3589CA599F.TMP"3⤵PID:2216
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp50A1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp50A1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:3568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b4a92efc62c90f1274f49ae72d27ffe8
SHA1ce672ec96703f82d1aef6140bc984e6bc47f6a24
SHA25625aa14adcd3c8885798acccbeba74212106dd2a10cd75470fe3ffcb919c92f92
SHA5127f92a3d10d3f9b84674aea692e5e9906078296b79f34bfb7f63828a754d932f7ef5d08af8f5de0e0bb58207128b068e0db1a82ee422401ce2e05db7ab38df40d
-
Filesize
1KB
MD54aaf27c3f9bb7b6ea3267ada0070fbdc
SHA12c7b23d92c1be90bafe1180072cfaeef52f1473c
SHA256e6a9bb8cd1c3d5365d1961677a77502ff83e9d585a909c54b1099ec470bc9a6c
SHA51232b79e19dc173e1efd31a77a098cef88324dab66e4c7c46e73b601e663d9094ce55a5d6586fa52bfdf0955fc5653415f993b9195022a9ab0e2cdb9cebb78fe76
-
Filesize
2KB
MD55d5be0aea8ed43bc18aaa6103b778a47
SHA185b7bb218334731854e0d04d5e618a8544eba6e0
SHA25661f7242b7e066426c4ce28be242e263a78334defa394b09c2cbb1724fe3123ff
SHA5120b035a6e859a0aa9676c5423261b62f3598b78ef78b4f3d94bf1441d6760cd1442fc890622da942c318e0cae9a4d99045092522c75e4cfbcc9d437f9e7f88199
-
Filesize
273B
MD5532ae716413214a460854a459c76a948
SHA1e89f8f29bc4385bc7259a075e6fdc7fb04e1991e
SHA25694bd04ff45a795d067cc591487e78293b122e4967fe4652f8e8e559bb2703e33
SHA51204e71ac6724bf5ee37542222fd69a1df575598791b3f2a66950d21deb9a3ba3b9762e7d2cac262d974741d64da5ede77ddefba5267794dccd04e92ad72f14c3c
-
Filesize
12KB
MD596b6c7a8d821268151cb6e5ad348656d
SHA189a12d3a8aa21d4976813f0126d9d9efe75cdeac
SHA2561e414b72e8bc4cda98eb3a3cb8402c9133e5647969cc820ebd32982bd8539db1
SHA512c197adbdfa4ee7ff744d3805e9e3d68c49678ab0df11c51110f8cd7174ea548b832eb242db52c16dc018725cc07ace86077d14447885274e93592a14a6c303a0
-
Filesize
1KB
MD5dbb56ddabd504722a82970f2993cd528
SHA15f5743776a10e74a41bbf315c682c4ed011f5640
SHA256838c2320b43fd8a8717ca5ea7c2e20def78435e2f7d17f67356b8010136194c5
SHA512581f590cad4d0160e72cf4c35ab1a8e77e0f75398aa77712ee206987e1c945dfa09647812632b3c21ac34d63982fd1e7b55774ef1dc99d0e9caeef6df87be016