Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe
-
Size
841KB
-
MD5
d37fa204010d8351a6f2d6406c6cd020
-
SHA1
f24316416c6526ce14450fdc3a1c6474e1be9ac9
-
SHA256
ee9099a6fe31d5b8e2389a8a6a88ca77edbf378d31430aa598de6248408d2292
-
SHA512
2c48195ba1f0c1329584a43bc01dc6b430e79a90b423b5dfd52e94a5aced3a70d15e0691d7f6d727f55fbe223ade8750523f223619ad7f0afaffd7fe90b22729
-
SSDEEP
12288:l13ElZw9bISFxyfodkrF0745EenMa3w8zEcMlG/Pkp6xH+GUrz/gxJET0q7cgY4V:l1Ma9ESFxeoduF645eaDzXEj
Malware Config
Extracted
redline
194.26.232.43:20746
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4624-9-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Loads dropped DLL 1 IoCs
pid Process 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4268 set thread context of 4624 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 92 -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe 4624 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4624 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4268 wrote to memory of 4624 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 92 PID 4268 wrote to memory of 4624 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 92 PID 4268 wrote to memory of 4624 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 92 PID 4268 wrote to memory of 4624 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 92 PID 4268 wrote to memory of 4624 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 92 PID 4268 wrote to memory of 4624 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 92 PID 4268 wrote to memory of 4624 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 92 PID 4268 wrote to memory of 4624 4268 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:4076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
397KB
MD55448e865680ecc9fc71b564ab8c61c15
SHA1a101dc0c2113cabff54c1f37cc32240353a7c180
SHA256e84a67bb8079e12fd589fecb65c7113328c1257db536f3eeae7013340f6e8512
SHA5129630400cde5dbd33e8fc862ce69da3f275bb9b7f5b22a3967acfa1523385a44aae599f5bbbeb6e649120153c77414edefef8b0c13851c2770e43cd300b138ebf