Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 19:32
Static task
static1
Behavioral task
behavioral1
Sample
49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
49a544c3aa2e8cda06e0b6f496868960
-
SHA1
d1ac56581a034716996d04ed23553e7becd34cbd
-
SHA256
7fd356b980fcefcb7c56d33abb9238fcf65daef9dfaddd0c88777d9683e6f1f0
-
SHA512
9ff6806408f67f57a19fc1aaf6c5caf498c26a76f25f982d8cf86189c98fe90b7a875be076e97b40e96bcd1fb95c0e95ba892835ee08decab3b6a950c46e4156
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpf4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1436 xdobloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQD\\xdobloc.exe" 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBT\\dobdevsys.exe" 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 1436 xdobloc.exe 1436 xdobloc.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 380 wrote to memory of 1436 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 87 PID 380 wrote to memory of 1436 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 87 PID 380 wrote to memory of 1436 380 49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\49a544c3aa2e8cda06e0b6f496868960_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380 -
C:\UserDotQD\xdobloc.exeC:\UserDotQD\xdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD58ea53c792f7c1e933b815bbd15d05fde
SHA1af115a5719fcfec80ea4a0e559253470e0d94d8c
SHA2560413b9eb1ce1ce6f7c36a1824ff4ef484e2d1c51d816511c63c45265e0b57f5a
SHA512623bb27f1758473fc1f554205acabd9b8326bf1db856573494f4f775139c99f83222e9afc884be8f73e8620d8293e68760a601a51607c9eda75b69f989074ce3
-
Filesize
2.7MB
MD5a073d3284df618646f8781a8cf698f75
SHA136560cceea77b10c5a1073836cb6e503b2ba1a92
SHA256856368e7ce6f02621fceb32040cd8fc91ca104679254caf05657b7066e25b0b9
SHA5126c1644d6af1948a417978da7efa48da67ff8b0d7af75d67d249ad2c1748633d7413b6a0f10eb452cd93ca538448bcaf7f44c362f035fa2beadb6fc81bc5911f4
-
Filesize
206B
MD50e8b4a6bbf6a5a3665acdb3361ca8e63
SHA17404c865859d51fcb13f33b1afaf2b93906d1e12
SHA2566990c1d5538c3a31d256d1f3ee38154ab8ec0c71d9f232eae3beaf0809689707
SHA5120c3bb4c4b6785e171aa006fe0d1af536285e3607b1bd08e931c79db7bd4e0a661c81d932891372c5b76bc90f07e0f0d94e67d23a8f15ab0ec2056cba6b5a74d4