Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe
-
Size
128KB
-
MD5
0d19637d68c53f3cac3959a848473a60
-
SHA1
5f8dc94e8c019634c2a1a4b016cdf650dacb7a00
-
SHA256
9abe33680967b1a3321cf8610f2f93e16a423a5b9e5f587c77ac8819f2236f3b
-
SHA512
8897a2b619dfd240fa73d551e221027570cc2aedbc743b0be433b8adc0a64caed4f3d02c3a5f084d1e394e0ef3d053269f3f395578cfd822e5e210537b7ac3c8
-
SSDEEP
3072:VvgwhTm5amkqIJS20hD7Me+QpWT21/Blx77x19:jmhUKWyJBlx77/9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe -
Executes dropped EXE 3 IoCs
pid Process 4936 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 1688 datafli.exe 1548 datafli.exe -
resource yara_rule behavioral2/memory/4936-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4936-16-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4936-19-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4936-48-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4936-64-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1548-66-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Key Name = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\datafli.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4188 set thread context of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 set thread context of 4936 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 92 PID 1688 set thread context of 1864 1688 datafli.exe 98 PID 1688 set thread context of 1548 1688 datafli.exe 99 PID 1688 set thread context of 0 1688 datafli.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe 1452 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe Token: SeDebugPrivilege 1548 datafli.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 1452 svchost.exe 4936 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 1688 datafli.exe 1864 svchost.exe 1548 datafli.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4188 wrote to memory of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 1452 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 4936 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 92 PID 4188 wrote to memory of 4936 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 92 PID 4188 wrote to memory of 4936 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 92 PID 4188 wrote to memory of 4936 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 92 PID 4188 wrote to memory of 4936 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 92 PID 4188 wrote to memory of 4936 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 92 PID 4188 wrote to memory of 4936 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 92 PID 4188 wrote to memory of 4936 4188 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 92 PID 4936 wrote to memory of 4620 4936 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 93 PID 4936 wrote to memory of 4620 4936 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 93 PID 4936 wrote to memory of 4620 4936 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 93 PID 4620 wrote to memory of 1300 4620 cmd.exe 96 PID 4620 wrote to memory of 1300 4620 cmd.exe 96 PID 4620 wrote to memory of 1300 4620 cmd.exe 96 PID 4936 wrote to memory of 1688 4936 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 97 PID 4936 wrote to memory of 1688 4936 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 97 PID 4936 wrote to memory of 1688 4936 0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe 97 PID 1688 wrote to memory of 1864 1688 datafli.exe 98 PID 1688 wrote to memory of 1864 1688 datafli.exe 98 PID 1688 wrote to memory of 1864 1688 datafli.exe 98 PID 1688 wrote to memory of 1864 1688 datafli.exe 98 PID 1688 wrote to memory of 1864 1688 datafli.exe 98 PID 1688 wrote to memory of 1864 1688 datafli.exe 98 PID 1688 wrote to memory of 1864 1688 datafli.exe 98 PID 1688 wrote to memory of 1864 1688 datafli.exe 98 PID 1688 wrote to memory of 1864 1688 datafli.exe 98 PID 1688 wrote to memory of 1548 1688 datafli.exe 99 PID 1688 wrote to memory of 1548 1688 datafli.exe 99 PID 1688 wrote to memory of 1548 1688 datafli.exe 99 PID 1688 wrote to memory of 1548 1688 datafli.exe 99 PID 1688 wrote to memory of 1548 1688 datafli.exe 99 PID 1688 wrote to memory of 1548 1688 datafli.exe 99 PID 1688 wrote to memory of 1548 1688 datafli.exe 99 PID 1688 wrote to memory of 1548 1688 datafli.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0d19637d68c53f3cac3959a848473a60_NeikiAnalytics.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGFQN.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe" /f4⤵
- Adds Run key to start application
PID:1300
-
-
-
C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe"C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1864
-
-
C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe"C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3800 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD50d19637d68c53f3cac3959a848473a60
SHA15f8dc94e8c019634c2a1a4b016cdf650dacb7a00
SHA2569abe33680967b1a3321cf8610f2f93e16a423a5b9e5f587c77ac8819f2236f3b
SHA5128897a2b619dfd240fa73d551e221027570cc2aedbc743b0be433b8adc0a64caed4f3d02c3a5f084d1e394e0ef3d053269f3f395578cfd822e5e210537b7ac3c8
-
Filesize
148B
MD5cad4294c9f78a2359f70ea09f0f56325
SHA11d02ee76821a5b6fe45aa4f12bac8f86b0043691
SHA25648eb38071c5a2a5c40b3110fcbcb52f6ad0849c3ec20b1cf1be5fa223ac0aaf4
SHA512cd62dd9423a3224d2c4d27853554e0574212cf48a824d562ab3e17231bb839f1dadb12067a7ca39c0cf8ddd5b0e3e8c1dbf601f9822567957e7c29e51fe1693d
-
Filesize
128KB
MD5d92afdc2ec99e1443083a8b1d24ebdb7
SHA145f016b813fcb7fec3fb8251a3f0192c22f64584
SHA25611751b6e0b1823cfd95c0062dacd74b3b4a3042cac5ca7791a9fb55cc59c6011
SHA5126b8fa711ab56c77299b11a022a109d02272b3e1ca2c5d49318f3a5c39b8934574bd8e0da61fb421156786c1bfda2f639cecda25f0ee3c801b670764843018d43