Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe
-
Size
12KB
-
MD5
7011cc050bdfc4ba002c47a27d7aa470
-
SHA1
62d0239706dd6bb7406171b3bca55136e251d04a
-
SHA256
28b8ebecd0379c57fe368aaddd0ecf30827a9a9889b63ea06384dda5c8e39369
-
SHA512
a4278e19bc6a1038b7cb2610cfd1b4dc80f3436bfda49219797303d24e8d40151c7dcd9333c1a58663a33658e0e65f05ce456b65edf36070bdb5462fe512c931
-
SSDEEP
384:WL7li/2z5q2DcEQvdhcJKLTp/NK9xabu:Q5M/Q9cbu
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 2676 tmp563F.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2676 tmp563F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2312 7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2312 wrote to memory of 3148 2312 7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe 88 PID 2312 wrote to memory of 3148 2312 7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe 88 PID 2312 wrote to memory of 3148 2312 7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe 88 PID 3148 wrote to memory of 3100 3148 vbc.exe 90 PID 3148 wrote to memory of 3100 3148 vbc.exe 90 PID 3148 wrote to memory of 3100 3148 vbc.exe 90 PID 2312 wrote to memory of 2676 2312 7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe 92 PID 2312 wrote to memory of 2676 2312 7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe 92 PID 2312 wrote to memory of 2676 2312 7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lbecyapp\lbecyapp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5880.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc653B75227E8D4586A516D5F5B7254A0.TMP"3⤵PID:3100
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp563F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp563F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54ee05ef616290a4ddac7a82c37bfaddc
SHA16e629febb2130d4cb9993ca9789dadcf2e0ed1c0
SHA256c594b0dcc45becd0b4a36f7f123a6c00e930e4269cd381f304d9e421bc442974
SHA512b6df40909477f2dc08d962be80ec74dea85604ccc9a69461b6163b61af09ad8e9e583af7ec04c58b49ac1715557b0226bf1ea52f9dc4bb10a4e0b876a7fe2255
-
Filesize
1KB
MD516016bcdbf938e1eeb2b008bd8be32d3
SHA19dabb8c7de39973f939309e357d6a541ddca2a8e
SHA25665e996e6efb86a03d55b16c70f63049c2233ed5443d05c0ec65d46bd2649a658
SHA51214f4429d793a9ecab8825fcdbd92eecc84f48b731e1eafe4d5f6a0235f2a64b442d8c3cc043bc1abbe27fd48541e6316146c6b4a411aa59957ce1819002c8cd3
-
Filesize
2KB
MD5c18d58195b0ec399114aceccfcf881c8
SHA18882db53c5d4c8781e891de5cb6b8c525190f3d1
SHA25635bca2ff0c47484c616ee3fb67fd8e77caa9d626500bf40c688da95a18387588
SHA512b854b77335b038908af51b8edd67f925905affe0c5e91c20132db06d38b42be614838567665030934b2ba2e130f6aa924cd67f735f6d0c6f958e9913d36e8e70
-
Filesize
273B
MD5dae4cf5f18d3cc2a97c015a8d7e9aa34
SHA15ccda03fc525d4c91743c7e1695cfc0fee9d309b
SHA25633f628f47f6077bee1ff8c88e98fa91deeff2a81d4f1076e5b5ef51f1df0b2f4
SHA5128a2b6c3f2f1daa354af244393137352e3031c52636246f9020128644a59edfe0ad75ed720d93742d829eb12730e6b567b7aba7fc3c96abcce20cd6778b9ccfaa
-
Filesize
12KB
MD5487a9ee4fd015f41784545a1dc44fb18
SHA193fb31ef5c476545f0ca2464a999ba11c8b9cabb
SHA256155829b357173de8fdffb174a9fffdce08e026afbef74a44d1f50a61f34e3bf5
SHA512a314774e61f9482179c3e8bf1731d4273d848a88a7698836df92f59f79ad009f7be96eabfe7966eccb9c355d51a51bfae4fcec5ab6204ea30bdc04536c93de17
-
Filesize
1KB
MD5efef16a4462a292cb418286736b2cdd3
SHA13fbdb509d155afa3a2e14169eba08364bb369e7a
SHA2566f04cf4fe5b9aa11b4408e2a418729b5df8f0b242aee1a702a3c727497ae82a2
SHA51213f07bfba83d0854cf914c52f1fc5ba280811adf453a5bbe5d57d246dca8cf99b73395e45c22e63e7f0bf97302e658d26c807890ae4f9a3f9db5b17cefde067a