Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe
-
Size
12KB
-
MD5
01f9a5120de1b2b1f94ffe742b596250
-
SHA1
3a132d13cd644c8197218bac49a38fd2691ac5ec
-
SHA256
e0fefaeb970b8ff2b079e696e5d66715bf98d04ca005b1cfb0ce00c54b411a50
-
SHA512
1104720a63ce25753fe7a678319f443cc29e82434950a3f8322d52ea644c641f5065c05a88f937fb078fca5544aaccfa011bdb00afd117ea35f293de4fe18532
-
SSDEEP
384:pL7li/2zYq2DcEQvdQcJKLTp/NK9xavar:ZkMCQ9cvar
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 364 tmp95F3.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 364 tmp95F3.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1152 01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2212 1152 01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe 98 PID 1152 wrote to memory of 2212 1152 01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe 98 PID 1152 wrote to memory of 2212 1152 01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe 98 PID 2212 wrote to memory of 4248 2212 vbc.exe 100 PID 2212 wrote to memory of 4248 2212 vbc.exe 100 PID 2212 wrote to memory of 4248 2212 vbc.exe 100 PID 1152 wrote to memory of 364 1152 01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe 101 PID 1152 wrote to memory of 364 1152 01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe 101 PID 1152 wrote to memory of 364 1152 01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\divgyhse\divgyhse.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1321CE9429874E169EC2679C7D679C83.TMP"3⤵PID:4248
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp95F3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp95F3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\01f9a5120de1b2b1f94ffe742b596250_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2208 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c5382c6a2135edebf620b90215cd1eec
SHA16cc0f9b9dcc2c6c4a6259491d07e144a08e55f16
SHA2563b04ea30d107ec8cbb242cabce54f5a0fb20b1089b1c1e9fbe140a4c879d2f92
SHA512ea97522a7da2be5f44d9734d3c95830614bc41b9666811a1f7e97173aaa21436b547c6a8d79ab85a8006be332fd91f878d602d3ce96fa6df771c882e79832feb
-
Filesize
1KB
MD5e2a0da0853c86e5f45983e1cb88bfe68
SHA19949277ac66af8f0c72177296ecede7a9450fc33
SHA2568f5dedfa63be6a1ddcf9876e1cfc51709863ca269ed482b8276779ffd260d848
SHA5120c9b2ef83bebf94fb9c0c3ae00822151e1f4390e7f798984f951cc76f0487d2e5ddc4e12173dc552d5b5b28678c3cff2729a6752408ae49fb040750272055697
-
Filesize
2KB
MD5dfa74ca2fabab677582b5f11df7fffa7
SHA18faa2df0d36c617e91a081f10950a80f7d0d6ea8
SHA2561f03ed4b444d288f019c20dd450ab86cb3c5e86bb3cea9741374f68f4fe79f46
SHA512f244fbb046edb73ca5ff0a7dd44332b1c486359bbab1e7ff9744cf1de4e8843133af83f2e3b51ee60570725d902dc494a3f3e0f097c8c24219333b9b641a335e
-
Filesize
273B
MD5ab82cd8d6447ca6554d99dd7ee6b61f5
SHA197fa1392d12e8b2fb75c124255383aeeaba0dc88
SHA256325fa83546ea0058d8c6724a337abfb846df18981e902706628f22d68c843dbc
SHA512d1b4829de6a1388da89b7d5244ec31b53edf633904db857863b8e9d4c42109f5ce98670d05fb1dc74ed94eccb036a4f07f3478a39631798c9c8c3a844b841cf3
-
Filesize
12KB
MD56e182084cd3b14e5bc6dc940eb86a0d9
SHA1931d70791e81ae92f1a5d977c873ed8ad205c8ae
SHA256658effdb6d92851804ac8e9341ccecd6e4ca13d8aa51a73a9b8fc6e678bea91a
SHA512e850efe854d9123c285728adc3e715087ba96cf531fc477daa9d63c46667d4c8a6138b0583538b387fa7f97adb460f6829114a20b3d6a92b2aa642ff9b91a9ab
-
Filesize
1KB
MD543597a79152f595e2496e416a1d01728
SHA11ecdf3122579f5dfb0deb692f180e0586552efe9
SHA256889a2f289d7a3a6be729dc33a760e1642bd1e604b49059a559826fb4eba7470c
SHA512d33250e366a20f35c8fc9a57479729779fc57b62ea4bfdb8f2e3d65b5d31975e32768733a87f806bdc0cf679247632167347217ade3b34f768a994e13427b533