Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 08:17 UTC
Static task
static1
Behavioral task
behavioral1
Sample
a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
a019a629e5ab1c4e0d892a763cd6ef60
-
SHA1
46c5c98d9dda79cd9117105b188b4c2bceeedf5a
-
SHA256
a0a23a3d3796d50b8b499184a6d4415666a21d5d23d7040c2c838370f22d7c53
-
SHA512
6ded71e55644d859399af3a61071a6a4cddc7babf424d0b39d9a8b3bc8a22308c6c322d042f1de58bb6a133356ad35d51047b6a80b70689d4cf01110925b8821
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBF9w4Sx:+R0pI/IQlUoMPdmpSpV4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4180 devdobsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8G\\devdobsys.exe" a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax69\\dobdevsys.exe" a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 4180 devdobsys.exe 4180 devdobsys.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3856 wrote to memory of 4180 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 89 PID 3856 wrote to memory of 4180 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 89 PID 3856 wrote to memory of 4180 3856 a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a019a629e5ab1c4e0d892a763cd6ef60_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Files8G\devdobsys.exeC:\Files8G\devdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4180
-
Network
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request20.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request91.90.14.23.in-addr.arpaIN PTRResponse91.90.14.23.in-addr.arpaIN PTRa23-14-90-91deploystaticakamaitechnologiescom
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.106:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Sat, 25 May 2024 08:17:23 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.663d3e17.1716625043.4b6bf2f
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request106.61.62.23.in-addr.arpaIN PTRResponse106.61.62.23.in-addr.arpaIN PTRa23-62-61-106deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request134.71.91.104.in-addr.arpaIN PTRResponse134.71.91.104.in-addr.arpaIN PTRa104-91-71-134deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTRResponse0.204.248.87.in-addr.arpaIN PTRhttps-87-248-204-0lhrllnwnet
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6FCE7BE59CB7424691B319E71A074A2B Ref B: LON04EDGE1113 Ref C: 2024-05-25T08:19:00Z
date: Sat, 25 May 2024 08:19:00 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BF7D7B32792D4ECF81193A365464B879 Ref B: LON04EDGE1113 Ref C: 2024-05-25T08:19:00Z
date: Sat, 25 May 2024 08:19:00 GMT
-
Remote address:8.8.8.8:53Request73.239.69.13.in-addr.arpaIN PTRResponse
-
23.62.61.106:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.4kB 6.3kB 16 11
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 8.1kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http254.9kB 1.5MB 1079 1077
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
20.160.190.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
91.90.14.23.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
106.61.62.23.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
134.71.91.104.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.204.248.87.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
71 B 145 B 1 1
DNS Request
73.239.69.13.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5d7bb3b7ebcc1a03366707d74c848aae3
SHA1e18a086f3c5d3f37e1659c450a2126c73f723bad
SHA256f69a4375ff33fbe3e226bfa4b8c1cc057e07e6e0bac157c3314f2a2f50ddd447
SHA512af8dd385f53aceb48fe73c94ed03c085413bc8ab22bc33f671c9086a21579275ba114aa5da8dc93ef0ebe2dd8aa2fc194a0d7e914f260755346ec4555c9fa390
-
Filesize
2.7MB
MD5875c5a1d8dec0b58f5f5589b1977d72a
SHA1940e85dd9d9531aedb232e748c4cb1ed4050b8a9
SHA256f077f41372a855072aff898df644d61b1c07bf0fec39a12df1fd53d66fc5890a
SHA512eba4ec0f31063cc0372addfad9999beba652560ce8cedfffefc0ffc28ec860c4468319cf3770fa9afb9afb59c2db859650f9280980d9986b4b52f5f87d4b22b0
-
Filesize
200B
MD57d8c146083f84c6b5a9d8aa59a10e8b2
SHA143aa8c3acb5659c83a88094e4e4ea46f444a69bd
SHA256d79ad51019e222917519196dcd20fd77db867167b40b7d0332b1639be4425617
SHA512c568043559e2a90c9c21b45caf06cfac52a96883e8e601614a73353110693803a47fd1664f70e1260e4ddf608debf2194cb7103dcd03b9bc664c5de251d11bfd