Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe
-
Size
12KB
-
MD5
4a2b844cc3569863df29389496680c10
-
SHA1
485d6c18331112391d7ae64e6d35728fb10c3331
-
SHA256
ac78ae6859e76adecb9a7d3832fcd7d78ecda878e47c1d747954bc5f17bf74f8
-
SHA512
5a5329a4a19ec550b42d34b5581071a85b30c42890decfd1da67f92f70fc16f529b2d8b98edde470968924eb8f8706b8c802b7afa2f5b89c6611001cfb3c9cf1
-
SSDEEP
384:FL7li/2ztq2DcEQvdhcJKLTp/NK9xado:FtM/Q9cdo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 1952 tmp7427.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1952 tmp7427.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1012 4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1012 wrote to memory of 4508 1012 4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe 85 PID 1012 wrote to memory of 4508 1012 4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe 85 PID 1012 wrote to memory of 4508 1012 4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe 85 PID 4508 wrote to memory of 2644 4508 vbc.exe 87 PID 4508 wrote to memory of 2644 4508 vbc.exe 87 PID 4508 wrote to memory of 2644 4508 vbc.exe 87 PID 1012 wrote to memory of 1952 1012 4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe 88 PID 1012 wrote to memory of 1952 1012 4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe 88 PID 1012 wrote to memory of 1952 1012 4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ygqeejf\4ygqeejf.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC19E0B7F276A42259F448DCABFA3A57E.TMP"3⤵PID:2644
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7427.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7427.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:1952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54b32f4d34da1262b4ffab0cac2c7d76e
SHA1f0cce41635dbb0284b5f7e6faeb4e5cccbd24cc7
SHA25684a65f16987a568f8f0e47103fad937cedd138dc66da109aee76a9fdfb219643
SHA512f803b58dac485a6c610793918de420db27e20780a1bd59ae37e5585020095e20572f0a0e2be6beb597dfdd6407d4887049a9a5c27afe74c34698fc2f8e0bad25
-
Filesize
273B
MD56a3ab5ab142211b3ec9f592d4dc7ff01
SHA1601972340a35d8a3d6ef9e4b346d3271836e358d
SHA25689f723fd62a5e714eda3305be4c366fe4e6f6bc23882d99aa64d4d6249104a8f
SHA5129e2ed5d73afa87108cb739be03b846f53817d6f93fa6c0c8c11323836e4827c7f85cb4991d63bc342ca3101b7326f29790914920ca867e4451540dcab2e69354
-
Filesize
2KB
MD52e724a46d14ac8ee589ca03fda20a4b7
SHA1aad29f7935084983bfe9c111041bcdf80449030e
SHA256fc84bb35ccb02df05999d08c9fa1935ca568ddaf1e777184b399412aebcc4496
SHA512636fff35ce0d18a054ba6014fc678a947afb22fed4bbb307818182270c828a964512d123b4288037266cca7024625e1ab6446d99a8c9402f02b2aed418804afa
-
Filesize
1KB
MD51280b252ff347b3b5d3fbb3a6503f27b
SHA1b1126fee77b46e51c7cb228b12de088aa7d5dd88
SHA2560f6cf49872c5f9d10fd49d5b20ca376366c5ba293ced418424f4c325d7196c0e
SHA5122fb5e0b3ed9639ade51e854128d382abe5b62db22f73809405f5e13db215fbcbf4775beb70f9fcfc394f55b0987956860f3be26d95b1fd5064585568e7d8555b
-
Filesize
12KB
MD56d105f2fc124ed00a83231c0010cf2aa
SHA18f04bcaf00c06b3d2dc84879fff15bf30d2060b5
SHA25616202c27f410e1d6e48f1f762de842fce0f2d92a021d7935f0fd752a8ce308e1
SHA5128ba5497eba78944b95b3c4cc9d6eabbe24dceeffcaa6e4de9d45b93650caf9a2438179bd0728d85cb978fc57caebd446bdee370ce3002228306c96f0849d7302
-
Filesize
1KB
MD54accacaf8acb48a1369786d709a7959d
SHA1f89f550f30e901da8d561166bef732ff0ff0a917
SHA2563ee34a04035970dc88128959d3859b210d0aa95366194765ef06c4640facf4a3
SHA512574f704cf1db7a2a646e8449d0ffd55601071e515a90175256ff3f1426277a8798e6fcb8db8d14edc3bded0ad15ac083566737b3dda483c5795126347a71d754