Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe
-
Size
169KB
-
MD5
4603037222e759fad531bc533fa715a0
-
SHA1
5ed0b37845d7b077262495d0b7d537f4e078fbcf
-
SHA256
efbb1646395087d8b9f5ae733d46b28dd3d52d924c83e43bad1a0687af8ee498
-
SHA512
cbf3a465bdc9ff37f382f92536b13f2b730fe6d6c8b0aab58d532c0ddf3d8a65b001ec3ad590472df427e30ee8c44fcb57948d9b9fa440c888da768fd892a658
-
SSDEEP
3072:J14mOxrKFNZYhrgtRFuV2DDbuiTf3hPsOraS87FYqjTZbn4TGh:JnYWYhrgtRo6DSiTf3hPswa1TZjxh
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\DBDDJD~1.EXE" icardagt.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Avira icardagt.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast icardagt.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Eset\Nod icardagt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2924 set thread context of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe 1036 icardagt.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe Token: SeBackupPrivilege 3016 vssvc.exe Token: SeRestorePrivilege 3016 vssvc.exe Token: SeAuditPrivilege 3016 vssvc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1036 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 2812 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 2812 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 2812 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 2812 2924 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 29 PID 2812 wrote to memory of 880 2812 cmd.exe 31 PID 2812 wrote to memory of 880 2812 cmd.exe 31 PID 2812 wrote to memory of 880 2812 cmd.exe 31 PID 2812 wrote to memory of 880 2812 cmd.exe 31 PID 1036 wrote to memory of 2812 1036 icardagt.exe 29 PID 1036 wrote to memory of 2812 1036 icardagt.exe 29 PID 1036 wrote to memory of 2812 1036 icardagt.exe 29 PID 1036 wrote to memory of 2812 1036 icardagt.exe 29 PID 1036 wrote to memory of 2812 1036 icardagt.exe 29 PID 1036 wrote to memory of 2812 1036 icardagt.exe 29 PID 1036 wrote to memory of 2812 1036 icardagt.exe 29 PID 1036 wrote to memory of 880 1036 icardagt.exe 31 PID 1036 wrote to memory of 880 1036 icardagt.exe 31 PID 1036 wrote to memory of 880 1036 icardagt.exe 31 PID 1036 wrote to memory of 880 1036 icardagt.exe 31 PID 1036 wrote to memory of 880 1036 icardagt.exe 31 PID 1036 wrote to memory of 880 1036 icardagt.exe 31 PID 1036 wrote to memory of 880 1036 icardagt.exe 31 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 880 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\syswow64\icardagt.exe"icardagt.exe"2⤵
- Adds Run key to start application
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\ectE04C.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe"3⤵
- Views/modifies file attributes
PID:880
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5cba5202fab7a41d389cabd50e501d5eb
SHA1b084e2924e76597840444282b8f26b3e3690ef02
SHA256c759f7456e9f1c7488c51638a825c5a35ade9053e5739791d4d8f9ef0805548e
SHA512d6bc4d390f232c2361a19f964014a823733c9a992de194075e0724b0782a505fc18eae32ca879cb3d86200d3921b0526d2f9aa870ef3599baaad581cab482cd6
-
Filesize
29B
MD56ba563f9c7f63c2976607b114e5680f8
SHA1ee72feddf8db3c3cdecba656a1f6a2b860d3914d
SHA2563f18edc9aaf696bb06ffeae4d74dc8467cdbe723903def8a0b30434a8f8a708d
SHA51266296672c3c379533c384f54123b9e69788906e8cefb0f0014daa0aeda646249b3fe5ac385c83ead06a4cdb9ec828e1633f41d2c3b16edd88c8e51f421b77423
-
Filesize
57B
MD56dd274c5a9c3eeeac667b72467def1ab
SHA1e9af8525f18e086eda72043bedd54a1587457021
SHA2565b8a5feebcfc47df2feb29d794ad727d1da036687460a8096490755ec3f70b4d
SHA51254bff4a190521bfd280a897d82bb1f9f0153454dbb3af6437e791990031a04efd898674f2250e11bafabc65b91bfe430316d3f4826c15b755e36a05e56c87f09