Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 04:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe
Resource
win7-20240508-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
9 signatures
150 seconds
General
-
Target
7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe
-
Size
1.0MB
-
MD5
7ce21e23096f7be6e7d68f316759d800
-
SHA1
003795d3436babe860980dbb592a6bac2ca3f88a
-
SHA256
6097d17d5ede804d2ff1440582ba9e90344e5d9add0ade81688988569b87fa25
-
SHA512
0f26e1ac49c1e8cc1f70ed3695c465703c797fd20bd9418d2eabcf28886ab8278394c16246309f65a15a2cffb444168171ce15d603459627701b69063cc06e39
-
SSDEEP
24576:tFZnpgDk9X1oTdfcuD+BCiTEfilL++mMY:trnwI1oZB2dcevmMY
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2956 created 3508 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 56 -
Deletes itself 1 IoCs
pid Process 3508 Explorer.EXE -
resource yara_rule behavioral2/memory/4716-13-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-21-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-25-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-27-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-26-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-35-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-36-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-37-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-38-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-43-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-44-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-40-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-45-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-46-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-47-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-48-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect behavioral2/memory/4716-50-0x0000000010000000-0x00000000102D7000-memory.dmp vmprotect -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2956 set thread context of 2988 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 83 PID 2988 set thread context of 4716 2988 svchost.exe 84 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mac.txt ComputerDefaults.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe Token: SeDebugPrivilege 2988 svchost.exe Token: SeDebugPrivilege 4716 ComputerDefaults.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3508 Explorer.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2988 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 83 PID 2956 wrote to memory of 2988 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 83 PID 2956 wrote to memory of 2988 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 83 PID 2956 wrote to memory of 2988 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 83 PID 2956 wrote to memory of 2988 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 83 PID 2956 wrote to memory of 2988 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 83 PID 2956 wrote to memory of 3508 2956 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe 56 PID 2988 wrote to memory of 4716 2988 svchost.exe 84 PID 2988 wrote to memory of 4716 2988 svchost.exe 84 PID 2988 wrote to memory of 4716 2988 svchost.exe 84 PID 2988 wrote to memory of 4716 2988 svchost.exe 84 PID 2988 wrote to memory of 4716 2988 svchost.exe 84 PID 2988 wrote to memory of 4716 2988 svchost.exe 84 PID 2988 wrote to memory of 4716 2988 svchost.exe 84
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious use of UnmapMainImage
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetwork -p2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\ComputerDefaults.exeC:\Windows\SysWOW64\ComputerDefaults.exe3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-