Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 00:28
Static task
static1
Behavioral task
behavioral1
Sample
623456f87eeffb70e58820404518f480_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
623456f87eeffb70e58820404518f480_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
623456f87eeffb70e58820404518f480_NeikiAnalytics.exe
-
Size
480KB
-
MD5
623456f87eeffb70e58820404518f480
-
SHA1
1d224be2258721fb58c765811dc660d0bc635327
-
SHA256
21a2483537b9e90ff5665ad05b7e7931375c4263802714f606b6d6a12ac8691b
-
SHA512
7c9ee78393d2df00658696a98c287e6f473461de737eeaf7c7d12f949bd484fbf1d73f513e8c67d48c315c5fc5188b8f3cd932dfb13bf9b651a43302e46a045d
-
SSDEEP
6144:AjlYKRF/LReWAsUyaZRjLJoRyE6T/PBFlZNPLZKOwDtlo8c7gK:AjauDReWA3LTlZNPLZKOwDtC7gK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4348 qvaxt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\qvaxt.exe" qvaxt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2504 wrote to memory of 4348 2504 623456f87eeffb70e58820404518f480_NeikiAnalytics.exe 82 PID 2504 wrote to memory of 4348 2504 623456f87eeffb70e58820404518f480_NeikiAnalytics.exe 82 PID 2504 wrote to memory of 4348 2504 623456f87eeffb70e58820404518f480_NeikiAnalytics.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\623456f87eeffb70e58820404518f480_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\623456f87eeffb70e58820404518f480_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\ProgramData\qvaxt.exe"C:\ProgramData\qvaxt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
480KB
MD55c234a0891ce05911a9e5a2b6dc05e26
SHA1e63ba23ba2916a561c1772512eaca4c7161dc9e1
SHA2569fac6bfbbf3670b631748c78f99b3440bc7eccb8a0dec43bcc6a8b1096881165
SHA512fcedbf844f29bc13866ab9a50974c3acf575276fa0856d671cb167db903706accc05e140baf2857b948060ce9ce8d9c4ce81568e6a3d68b4f6bf713daf6e80ae
-
Filesize
136KB
MD52bd01b99551cc639ddb5cb66914904a6
SHA150beb8bab8be15271951130ac833eb19566f9333
SHA2569764e531dd52e37a454c7f052a17fe7b68821dc3570286aab7bb4706639efe40
SHA512374436459d62bdd62fc79b779e5aef155d7b8817e3d64e53639130be49d061a251d04a3882d403c1cacf890f91fa53e9137e551f3f6479341e09fe97c7bf2390
-
Filesize
343KB
MD5cee238395bbfcfb1aff8bf281c2824c5
SHA1d2817c0092b6855f0d0d08739e118f76a67c3eb1
SHA25630c1a07011b2992a2f05ec7e18d22321449a48051daf1399d3666e2ae0588868
SHA5126fca7cabc024a0bab2a0c32226b61d8450c194d75e7c479b926808e0b0d98654835e30ccffb9d244085cbad591b17af52dfa05989de04905210ee59f6e5f8db2