Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
-
Size
12KB
-
MD5
18be8734f158add81a1d6123270c7e10
-
SHA1
33e6e05ec5f55c7945b8993dcb947ad4b3a6c165
-
SHA256
492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054
-
SHA512
a87de3c25201319c005c14a9328eada2640b220c8c618df3cf6e22dfcecd80b9deb240a87ed33f3e7a5ba2ab62a851003a8661187a52b931d3bc825d57f3ce47
-
SSDEEP
384:EL7li/2z8q2DcEQvdhcJKLTp/NK9xaet:S4M/Q9cet
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 4740 tmp4305.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4740 tmp4305.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4040 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4040 wrote to memory of 3176 4040 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 86 PID 4040 wrote to memory of 3176 4040 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 86 PID 4040 wrote to memory of 3176 4040 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 86 PID 3176 wrote to memory of 3364 3176 vbc.exe 88 PID 3176 wrote to memory of 3364 3176 vbc.exe 88 PID 3176 wrote to memory of 3364 3176 vbc.exe 88 PID 4040 wrote to memory of 4740 4040 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 89 PID 4040 wrote to memory of 4740 4040 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 89 PID 4040 wrote to memory of 4740 4040 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hjqwvxfo\hjqwvxfo.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC563F9C1942F496AB2B06531387669DD.TMP"3⤵PID:3364
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4305.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4305.tmp.exe" C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a1527c67f9483e90a3e12f80f8147fb4
SHA1cda9b38d937bfc7a761c6fec11141511a4d4d175
SHA2560e537e1f1179455803cfc4b22f3626167aa7dcb115e7b8cf94855d03f6ea348f
SHA512db57795c9085218ee0ddf63f12ab071509724a19a296c9cff17a12f0a1d45148e8c6dbd1686369e529a72916b5fb410d74dd14bbad36f3812c1d72102968556d
-
Filesize
1KB
MD51a0bb3cc05ce8aedc66dd8ed77cb8334
SHA14f5a2ae163e2091b9eb74dae4de596cb6c4e9efa
SHA256de764a470214c2cd2c1506b6df0753996ca1e5f9a2fe41aef17dcb1f55ab1f6f
SHA512070e17e7c535e2d45ea6dd83853c0b25cf5f90bc8e6e6181289e4383a702a60e683232a011344bc7056351f6b0e4559b68cd86401fa1385008c483d954e611ec
-
Filesize
2KB
MD50d1d6fac6de7dbc18f17afc938cd1fa4
SHA12ae43f22236768008876228294c18552b8cfe182
SHA25600fbfffdcc639b09a10c5e3be067e23213513d64e9d366b64b4586840a102b22
SHA5129ff777253caa1e804c89d866f7b496044b30ec2f68c1cc9bb8d03537936e390a91ca29bcce9f4bd0338c6cea07938d352c8cf932f864da05d212e14fedacafdc
-
Filesize
273B
MD5211898ed55d36620ebdc2d47640a56fa
SHA19a99e27608d75bf849dd8524d95b0148c80dd039
SHA2569d151be64f155fa8c9274a271a95707bc00a2d505ee8951b2a9ae20d2dfd99db
SHA5128e22bbf7d2aa1cd1f5ccfeebbb698ae34e60c6ec453d87173891ccb73b1c247a96d7b2dfac76df7351cadc80f9ed7c6bc24a62cbc276363672eaefa99d37d7da
-
Filesize
12KB
MD51c5bd0d21d8477d61165df7673bbef9a
SHA1fe1fcb0771370c34e6213f3e1de265ad411c31ec
SHA256348a31ff97c461008ace9b163766b80e009b452ecd2fb8e974f3f9124b41332d
SHA5120817d61496a26409d86ca051142eb30729ef3f206297a7662ab57b11193b9e486eb27f31c86a539de47c2240baeb6c79387aae9269af1c9704b238175b33865c
-
Filesize
1KB
MD5b903f6512922d4f0f6c301b88f78eeb8
SHA1195b8260278da2b000f5e79d46f09474e5f2cf64
SHA25690a74d9b526149e12de8b1b141fc208d6b56a6619ad118e82365c6568563abb9
SHA512f928ecf0bb5efa2a676222da7d9b9f7767a77c5ec3902ce13fcf2602d23499883b8d6e0604967aba7dad8af4e97ea391527c78cc4216cd77540c0a7a5640a8fd