Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
a036b44bd7663a0bf4b8cf9c4e86fef0
-
SHA1
aa3e57265d54e04136e2035df4a18b9670b30340
-
SHA256
a6dab7902ff7cb81dd907b2a21a0a6c518c2471db75ef04f6568c0a095f7e060
-
SHA512
78067682d69519465717b468e7d6ac95184fde6435adaddd8dd931a2881435234ee37f5ef59dcd120a1c6de9f8115d10b37423f164f0510b885b4c590041f1ac
-
SSDEEP
384:lL7li/2zhq2DcEQvdhcJKLTp/NK9xaDj:lxM/Q9cDj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 440 tmp493F.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 440 tmp493F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3632 a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3632 wrote to memory of 2068 3632 a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe 86 PID 3632 wrote to memory of 2068 3632 a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe 86 PID 3632 wrote to memory of 2068 3632 a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe 86 PID 2068 wrote to memory of 1492 2068 vbc.exe 88 PID 2068 wrote to memory of 1492 2068 vbc.exe 88 PID 2068 wrote to memory of 1492 2068 vbc.exe 88 PID 3632 wrote to memory of 440 3632 a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe 89 PID 3632 wrote to memory of 440 3632 a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe 89 PID 3632 wrote to memory of 440 3632 a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sdq3jufw\sdq3jufw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2A7DA83455D42FEA97FDFB43435BDA7.TMP"3⤵PID:1492
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp493F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp493F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a036b44bd7663a0bf4b8cf9c4e86fef0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a608f3d17cf3e13a09f79f83671a3237
SHA132eb5211499900d9e97742810d5207f9b51c0c01
SHA256ab93f0739556adfb881e9cc0f0eaf657dc64f21716f4513b8cd6c211825e80f1
SHA5128c314efae68f7346e5f9b72c5a50f8d0fae752f9055950beba3560f8e39bf19582a24f31ae3ea87e117db1e43b1759074e298dcd37d86c845cd45454bc685777
-
Filesize
1KB
MD52fbd32792c60db233359405807b2bf6b
SHA1d9b7cf4a82c8366f3b8af14b46d55dda970cf741
SHA256761446b6eb5824e3107aba37b7020c2bc962dc738d7929b99f2db4f6ff6404c2
SHA512746a376b147c05728d68276c15860a3146cdb0b2c746c997591a36174e4fd4033fddb4a2c61b5049b5c8db42117e96534308ce842843e982310a6388b155c579
-
Filesize
2KB
MD5aad386b656968393dadadc31077f08cd
SHA1e6f8fab527f199d3b14233d32069e23ead986aa9
SHA256e01e133e16a7257117c76e3dc18a3cfa935a19277a747f6fcb40d61096630564
SHA5122feb01b1587dffda12578d870fcae242100d3a16ed9803d21200026e823e7c839479f4ca071e479b0df34f32c4567c921b37872ddf7cdef4796d04204edeb394
-
Filesize
273B
MD54a19510a9f9fa7e97bad755352bfab7f
SHA17a152a75e5a6a53b455a366834494e5b746632df
SHA256367c06cdf1056783de9fabebb35b54f30d74fa7eb1e87ce61759813dba042518
SHA5128407d0e3bda50b725f6259f3e2ce222389d629f0a94ae2e8ecad19808a49afe018d9792390c81f2a623aaec7505c770fa7f80fbbac7ebb0bc232c0e92cfc4558
-
Filesize
12KB
MD5ee6c4d59d27e824cfb695d4807b9bcd5
SHA1f76364667864142b942ea91388b15cb142d5e179
SHA25691616cd640fc897b789204033c336d1392ed250514aa043f62767b8b7e4eeef3
SHA512e697ba2b29997b48e837921ee932af868d17e80b87aa92ad782985b9ac0c651a47da44e79396dc0f3d71bc1f55c4956a8c7cb39a933d73e0386059c014dc641e
-
Filesize
1KB
MD51e2c5e160e69d3104e28572c5b8a5f2a
SHA1f3871ab1c3bb605e5d8fb5eb571f2b8961f40d58
SHA2560f8efce0157d9c59d74f53e29c9eec86913dd1466be168a8a00670cda2e81fcd
SHA512e72136a7ba5deaf1067246bd3c7efdddf9b5b1cb0666213a0f4c8a0201920d2be32780545dc4867816cb7e25590ed5357ee242a965d37d3f3c89c2ea9db6c462