Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 19:24
Static task
static1
Behavioral task
behavioral1
Sample
4845aa93c6412074c917053cda175170_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4845aa93c6412074c917053cda175170_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
4845aa93c6412074c917053cda175170_NeikiAnalytics.exe
-
Size
63KB
-
MD5
4845aa93c6412074c917053cda175170
-
SHA1
6030c1ed31c08f2b25ba5f7f9d0e577216124467
-
SHA256
2018d6952c057a21cf55318d6aa22871daf2916c655848bffcabfc092e3e03e8
-
SHA512
dbde0759f5eb605c7169215a434ccea75b1dc07ad5e3f7beba9d3461fc7877c0b415f4d74fbe3958675f9254a27b3d8cefc1e043490d12ca7f58ab6e2d2bf772
-
SSDEEP
768:TOSEWgI6sRJ0QPk5Cd8NUIu0oWsV1qaZIp/Bj7YcRpaSOovHYxtxdvO:Sf9Uk5CdzGs1stvHYxtH2
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cupen.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 4845aa93c6412074c917053cda175170_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 3712 cupen.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cupen = "C:\\Users\\Admin\\cupen.exe" cupen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3712 cupen.exe 3712 cupen.exe 3712 cupen.exe 3712 cupen.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 388 4845aa93c6412074c917053cda175170_NeikiAnalytics.exe 3712 cupen.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 388 wrote to memory of 3712 388 4845aa93c6412074c917053cda175170_NeikiAnalytics.exe 89 PID 388 wrote to memory of 3712 388 4845aa93c6412074c917053cda175170_NeikiAnalytics.exe 89 PID 388 wrote to memory of 3712 388 4845aa93c6412074c917053cda175170_NeikiAnalytics.exe 89 PID 3712 wrote to memory of 388 3712 cupen.exe 81 PID 3712 wrote to memory of 388 3712 cupen.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\4845aa93c6412074c917053cda175170_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4845aa93c6412074c917053cda175170_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\cupen.exe"C:\Users\Admin\cupen.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD599153fd668e9d883feeebadb790731c1
SHA1adf19dfd074c0caa987a79bc625f8161afdf17f9
SHA2563234b4b00cdaf81f3a55a486f69f3b3a7b4f3b9f29f0b8070113750605356c18
SHA5120ba1f7c60df52b41743f4c55020e4a23a8c67b1c0d801781d50359d5d056c4eb144dff0a6a4da21c1751482bead8919db24e23585aa1834f921dbd8a5511e97a