Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 19:27
Static task
static1
Behavioral task
behavioral1
Sample
a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
a7bf23f906f6ea2116393fd2cbb66da0
-
SHA1
835af6df2b99fa6f5f548ea1a0d62f00cf4728d4
-
SHA256
3761a58958c12df556f96abc57016938f2029440986a402399318055fd1ea970
-
SHA512
bffe4b9060f88c9da2e322ee5c3a7fc300346118db2eb9eff49bacfaad6664d52124bfa8f12554f65b52e0f15f5974c13b46a8a5209dd4eab0340c3e43bd6197
-
SSDEEP
384:nL7li/2zZq2DcEQvdhcJKLTp/NK9xaJw:LxM/Q9cJw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 368 tmp6F84.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 368 tmp6F84.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3688 a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3688 wrote to memory of 2160 3688 a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe 88 PID 3688 wrote to memory of 2160 3688 a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe 88 PID 3688 wrote to memory of 2160 3688 a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe 88 PID 2160 wrote to memory of 1332 2160 vbc.exe 91 PID 2160 wrote to memory of 1332 2160 vbc.exe 91 PID 2160 wrote to memory of 1332 2160 vbc.exe 91 PID 3688 wrote to memory of 368 3688 a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe 92 PID 3688 wrote to memory of 368 3688 a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe 92 PID 3688 wrote to memory of 368 3688 a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oqaldz0d\oqaldz0d.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7129.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc697B8A2AE20D413093C1AEE3F8D27548.TMP"3⤵PID:1332
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6F84.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6F84.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a7bf23f906f6ea2116393fd2cbb66da0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52434bf0e8e4349e1e1b34a3347d81953
SHA185e021f0f6771c308c9a05bd9879d376155ec51b
SHA25606f04e8fee749c0336b532a00efec2d1e2caa164561d2c021163b0fd503f9000
SHA512c740a4e0473d0c207a7bcac3bea27171faf24c234781df437ce1c3fc67b71c1f64ee79287d223280fff01a1636e73997d7c8556c3d0cd3727fb5d6cd973010a9
-
Filesize
1KB
MD5798b274a044d9aefd211558f1f46db01
SHA1d6eae5055f6d0e5549ef09520c00a5a7684a6257
SHA2567c2e6dac0f48d355fd09b9c548e0ad95d0f897da8722f8c2cb2ffc8559d2050e
SHA512ea1ea6ee6223fb2f9abbb8243b8ec2aa4711314c2eee916d1f70d4da9c4f3e18b261b33a8977291861af7521abf0be15336ccc88daf30031ff9e6324cef795ca
-
Filesize
2KB
MD53fcd6330b09cc3c6062163bc1c77ecf9
SHA134d65a4de93918bb3e7944f5c71f94c0dc9a380d
SHA256696d9d4df2aa013c7d91d593323fd1a8880e06a1c8782c553982e4747dcb8b54
SHA5123b268dba8400234cdb205e03568c4962b8b7b7f33c6d356492ff03fb6d5ec034ccedd24761da213afce5b11752a810355c1594a51a9a01648555824abfcb448b
-
Filesize
273B
MD586132f54e1fbac75b3380c1c8e36733e
SHA1e797928fd1e95212613475520a5dfdba05a93b29
SHA256f7692d8d7492b6f1eb39327406be121f0db5220b17c53bdfb9f546cc4a4b01da
SHA5126c6e27c05e28dcbb3e13efef8762bed7dcb0d5da95def93a4743fdec36ba0ea2eff5d848771c07268d5f57907900380b372a8ca680258591ab05bb8b851e9e56
-
Filesize
12KB
MD52cebf61421bfdff32769ce5bfac774af
SHA122f1a860034b8578caed63d75a8a163abe70c874
SHA256f50117b46f9a0a885eb859bfa4f56511a1af4cc82854ef45eb9606304a0c0f6c
SHA5127b16a014b22e8bd30c30ba25bc7f7600b73a612f885011260482dc484416fbc259628b468f6243d55f0b4a930dc98f0eeaae4d1f95d62755cac32c1d488a9cc9
-
Filesize
1KB
MD5f0331810765ffa0c696fae284b54df08
SHA18e378b6506cbba8a1dec643b306ae0e17c5b6c66
SHA2563c5d8abcebb93e88042801b07ae00ccbfde93f3f5fa80abe7069d541277c3eef
SHA5121a53b671c6c45d903629eb43dfaba322ef86fdbafca1b2de2859189389aeffe7f9e93d87d3bcc435808740efd33d08b78d17088be771169eae6105b6e425b139