Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe
-
Size
169KB
-
MD5
4603037222e759fad531bc533fa715a0
-
SHA1
5ed0b37845d7b077262495d0b7d537f4e078fbcf
-
SHA256
efbb1646395087d8b9f5ae733d46b28dd3d52d924c83e43bad1a0687af8ee498
-
SHA512
cbf3a465bdc9ff37f382f92536b13f2b730fe6d6c8b0aab58d532c0ddf3d8a65b001ec3ad590472df427e30ee8c44fcb57948d9b9fa440c888da768fd892a658
-
SSDEEP
3072:J14mOxrKFNZYhrgtRFuV2DDbuiTf3hPsOraS87FYqjTZbn4TGh:JnYWYhrgtRo6DSiTf3hPswa1TZjxh
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\D0J6DD~1.EXE" backgroundTaskHost.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast backgroundTaskHost.exe Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Eset\Nod backgroundTaskHost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1968 set thread context of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe 2872 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 2872 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 90 PID 1968 wrote to memory of 5800 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 105 PID 1968 wrote to memory of 5800 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 105 PID 1968 wrote to memory of 5800 1968 4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe 105 PID 2872 wrote to memory of 1968 2872 backgroundTaskHost.exe 89 PID 2872 wrote to memory of 1968 2872 backgroundTaskHost.exe 89 PID 2872 wrote to memory of 1968 2872 backgroundTaskHost.exe 89 PID 2872 wrote to memory of 1968 2872 backgroundTaskHost.exe 89 PID 2872 wrote to memory of 1968 2872 backgroundTaskHost.exe 89 PID 2872 wrote to memory of 1968 2872 backgroundTaskHost.exe 89 PID 2872 wrote to memory of 1968 2872 backgroundTaskHost.exe 89 PID 5800 wrote to memory of 6580 5800 cmd.exe 108 PID 5800 wrote to memory of 6580 5800 cmd.exe 108 PID 5800 wrote to memory of 6580 5800 cmd.exe 108 PID 2872 wrote to memory of 5800 2872 backgroundTaskHost.exe 105 PID 2872 wrote to memory of 5800 2872 backgroundTaskHost.exe 105 PID 2872 wrote to memory of 5800 2872 backgroundTaskHost.exe 105 PID 2872 wrote to memory of 5800 2872 backgroundTaskHost.exe 105 PID 2872 wrote to memory of 5800 2872 backgroundTaskHost.exe 105 PID 2872 wrote to memory of 5800 2872 backgroundTaskHost.exe 105 PID 2872 wrote to memory of 5800 2872 backgroundTaskHost.exe 105 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 6580 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\backgroundTaskHost.exe"backgroundTaskHost.exe"2⤵
- Adds Run key to start application
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\whlF45F.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:5800 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe"3⤵
- Views/modifies file attributes
PID:6580
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:81⤵PID:3424
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD580b19ad36a0b2749252ea387377b3109
SHA10302f3946ebe649a36fa60b3d38927b82eb08c2a
SHA2567aa77b6a7a474635a9de26d0978a10ef94f431bb00aa41d4303335388f21a2f6
SHA512a553638da846f16fc2bf8db07b7416f1cbcb0c2c4c85df2776ca686aee5dfcbea776fe8ea71e12d04dcbbdf18fcbfe8dc207d99de3e2a72581312fba3bca4d59
-
Filesize
29B
MD58b0f92d81ac18f788ee9b7f3c82da81f
SHA17bdd95f4a34e982df96e288c31266f1a70d901e5
SHA2564ee03e93ab481e1358c0ba61bf7f90d07902719831153c7821330a7336d94379
SHA5123d27cdba14a35b17354992cb3db069062edd6c32ac4fef35a0f4c77f98084dd5e5067dd9a7db26c72fe944189bf74a1820815384eaed278065c319b30a5389b3
-
Filesize
55B
MD56295a5129dedd11353b8b74c6a219f79
SHA116410053b1787ca899458981382fede4236347f3
SHA25678440e641b18fa6a5c42814a5ee35a846823d610266fa9dea17864db70dfa14a
SHA512aa467b2d220f1c2a0005e165fdcffe6e281e8147c5955951b7475ad9621e9445c52d7e48d7df056474a7cdc3593e914ea0bc54a7fbbce5296d0bad348a859ea9