Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 07:37
Static task
static1
Behavioral task
behavioral1
Sample
a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
a52f08fb5c2dfbcad380b60a30e12bb0
-
SHA1
b814c3cf79e2d9c2e490d3880e6e03bccdc862f8
-
SHA256
0ab3180614dbb7acad5c529f3ec56483d40ae457447012721225e9795b4196bc
-
SHA512
255c898bcef5d498877e7529ee7954379f3832d96c8f1dfc88dd8da374493fa2ee58fb384b6bf6ce524429fadba62307f6e213535bc22eb328ec558ddf1da761
-
SSDEEP
384:vL7li/2ziq2DcEQvdQcJKLTp/NK9xalQ55:DSMCQ9clQ55
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 4772 tmp5276.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4772 tmp5276.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 436 a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 436 wrote to memory of 372 436 a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe 85 PID 436 wrote to memory of 372 436 a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe 85 PID 436 wrote to memory of 372 436 a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe 85 PID 372 wrote to memory of 656 372 vbc.exe 87 PID 372 wrote to memory of 656 372 vbc.exe 87 PID 372 wrote to memory of 656 372 vbc.exe 87 PID 436 wrote to memory of 4772 436 a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe 89 PID 436 wrote to memory of 4772 436 a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe 89 PID 436 wrote to memory of 4772 436 a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qd04it0v\qd04it0v.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5488.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1EC8B435DE440B8F44F1F98DD15.TMP"3⤵PID:656
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5276.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5276.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56a6e9ff237efd75dcbe6df94e46d9007
SHA19c78df78fcac55555bdd156970b180bd90579fad
SHA256a14d7807edb416715ab1663db5a49d29a284ab13e6b7d2bbbbb539bb3acb82a9
SHA5120633659f120e68a3407026076820a56a376f65a0d9f7141c294f49b29b5a558382fbd16f571433e5bfe8956ae567a28833d94b1a5c6f385060f905eba14e82af
-
Filesize
1KB
MD5cfbad02681626e691dd009d677a925cc
SHA181ab7962fbe0c594b3db0f15b5d3dd99cd2eb176
SHA2568626282d8e5c744d260205f796196b2cf6f8f7a12f3df7804b8b2542b86d8ff3
SHA51296d1db83cf721c1262b64f3ee50102a641760b523c58d992fc153b2dea547713dc395a221e9d071828655e7897b613a2b4f75b99e332508c126f2264d32b3f2a
-
Filesize
2KB
MD58662f2f1bf1f8ab81b352f5e41beac41
SHA17129f64ce53401bf19301478b9681351989cee1b
SHA256383ed7fa1fcc2d0897f22cdf4d68b40b4e1cc3d9d7175087af88b6e8eb4bd014
SHA5124955a199847f263a134cdb927e28bb16f414fdc5c12f04fc16f87ab18ebbe39e7e138142c9dec96dd0165247f20cfcd0b98586dcd18b2838521d553c9a1d238b
-
Filesize
273B
MD5177bb9b46c56984b26a0fd5bc5a6d7eb
SHA1f297c72f49c75865a894dd0288a9932cf3c45c2a
SHA256abeabfdda2e522960beb8bb11d30358653baa3f58b8ca6ce7cec43db7424287b
SHA5121d6e155fa1b0d105d390630ee2f22a2d666a3afc8c90c1d0921b6b9ddd56225d21a1d49ce46146163b02b848b73fa1c0475df1b22eaca4fd424a509e381ab709
-
Filesize
12KB
MD5869dc7ada814dd838b11c4bbf29c0963
SHA1072229053f3c71eb482b8fa9fb1d217144a2eaf6
SHA256b4acb376cbd277a9ceb19b044368900ddf0510ba8afd8ed078807f1aef3bd03e
SHA5129e37b0ff211977fcad4109972f6ebaaf236978e31ee07b861ef711d841e3d1aaca3be9fdba38d53387887cd797f0265afde6f73b26b2530c1fd545f9cafc32a7
-
Filesize
1KB
MD5408667ccae8793d7907b997aacb4f742
SHA12dd7072c6487a8411e063a0ae6afaf0a14d7c2dc
SHA25657ea38317b7b2bdb2215ce8f723fc72d0aba62f375f47895b9770e65f65a9c40
SHA51297c0523d535e8fda95e6b9b64558ffb421f04d481c6b8909315a589fde61a6cef8e049fe4611ff4f069cd2eeb913b6123202e433339814378af40062894139d0