Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe
-
Size
479KB
-
MD5
039acc2b4a02b96bf7b31fe59732b9b0
-
SHA1
fba2e2e76bee08317ad5b3391e6d35b14c1d8186
-
SHA256
226252e62d010e001b735dfa5b162d7023611eac1dbcb4193c2555d8af460ecc
-
SHA512
ce56eb8016e7d945bcefa6096a7a181cb9142b2f703ede3b7a88ca244c51bff87c211eb1be6d6d4117f0707bee4d71050f810baba73265ce1207d76ddc874762
-
SSDEEP
12288:46lc87eqqV5e+wBV6O+lDOB4A5nT0W5MxsBPbNt46K:46SqqHeVBx9B15nT0W5hBDNtPK
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 900 clipinst.exe 808 autosfc.exe 3340 ~5033.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AtBrance = "C:\\Users\\Admin\\AppData\\Roaming\\findayed\\clipinst.exe" 039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\autosfc.exe 039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 900 clipinst.exe 900 clipinst.exe 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 900 clipinst.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3372 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3940 wrote to memory of 900 3940 039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe 87 PID 3940 wrote to memory of 900 3940 039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe 87 PID 3940 wrote to memory of 900 3940 039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe 87 PID 900 wrote to memory of 3340 900 clipinst.exe 89 PID 900 wrote to memory of 3340 900 clipinst.exe 89 PID 3340 wrote to memory of 3372 3340 ~5033.tmp 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\039acc2b4a02b96bf7b31fe59732b9b0_NeikiAnalytics.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Roaming\findayed\clipinst.exe"C:\Users\Admin\AppData\Roaming\findayed"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\~5033.tmp3372 490504 900 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340
-
-
-
-
C:\Windows\SysWOW64\autosfc.exeC:\Windows\SysWOW64\autosfc.exe -s1⤵
- Executes dropped EXE
PID:808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD586dc243576cf5c7445451af37631eea9
SHA199a81c47c4c02f32c0ab456bfa23c306c7a09bf9
SHA25625d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a
SHA512c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4
-
Filesize
479KB
MD59e32a3c5a70cd5716a31ecf37a3f024c
SHA1d299b1142fef64a060c5775ba8aaa59ee824d4c7
SHA2563bdec19c528c3fd6a95ca69ef3d160f208e55dfa86b5303a661117b852c9b77d
SHA512cd59ef39e6035e44bb133dd7f3ceb35d5f10411a62f7d9f37d8d17980822e21851771bf0ce02e566e9f5d9e8dcb26cd252d7b9c5bcaad1b4328a2f8d2944e6d2