Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
-
Size
12KB
-
MD5
514721b58189a2cb0132f06b1061f900
-
SHA1
2f55a861874e9e32990d9ee8ea86695ece396fa7
-
SHA256
55f4dcbe3a9fecf82f78ba628fb6375e0e800b7d04bae2bc8f78b220926f5c51
-
SHA512
f0fd4c584fd83d4442964fd556c383acdf436b790deda81fe5fcc5509c99c7e89995b03fc37e14b2ff74cba520de1e606d1b959dc247eca367b5bc58de2a39f3
-
SSDEEP
384:XL7li/2zsq2DcEQvdQcJKLTp/NK9xaAY:bYMCQ9cAY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 4996 tmp6A44.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4996 tmp6A44.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 380 wrote to memory of 1620 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 85 PID 380 wrote to memory of 1620 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 85 PID 380 wrote to memory of 1620 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 85 PID 1620 wrote to memory of 556 1620 vbc.exe 88 PID 1620 wrote to memory of 556 1620 vbc.exe 88 PID 1620 wrote to memory of 556 1620 vbc.exe 88 PID 380 wrote to memory of 4996 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 89 PID 380 wrote to memory of 4996 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 89 PID 380 wrote to memory of 4996 380 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iedugzqd\iedugzqd.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD288C4AA22CA416EBE1912016BAE943.TMP"3⤵PID:556
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6A44.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6A44.tmp.exe" C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ede838db2ac379bcd2187fee5d5ecbea
SHA18017173caac4d3d8ca120ef72c3208beb21ae8cf
SHA256b2e2c06f1f15f836ef1ddcd79732e672a7da74e486c998b763ca4b6403e9333f
SHA512b676d8dac7a1b0c59d8195a3ec639c6d3f6bc76cd26b4cb7d988d0eb947bcd42923f41e30cc1499ad6fda6a3161817dc7504bbb65a12b3ec4228983aa68eb22a
-
Filesize
1KB
MD569269eb09d0ceabff42565099075887c
SHA18282e02a710f7bffc849056f32b5d1fcdcc207a4
SHA2560e53d4c81a22112ea35d51948431ed98b53fbdddb5513820ddb5d24f5d8b1217
SHA5123db6f67556e9b32035bf2e26ea803473a1cc1f936371314e1605ce350bf2410d4947da3ec5f05968dfd7b5cb87461b6513502850d4e335d009ab8c86cb765ad3
-
Filesize
2KB
MD5db0173c1d91c9db87a69697c773a1df8
SHA1b838695f8a8fd45daa6eab89186eb40227a989fc
SHA2562e20ccf5e710946b918d78d78a9ddde1e64949eae485c8d937e019d19a7ec79c
SHA512a5ed0d54ed8f9edfb0b00e4b322dc2388efbf7a6b903ac930bf3682cbd8f27fdc10edb3c9f07855c8c471a64ef67eea12730bd95f9d0bdd921469710d23e431c
-
Filesize
273B
MD51ef5cfbd6fb2abe4cbfc438d0a8c9071
SHA18d79314076c0448de52b1884939ccd6c9b2d3f40
SHA256a87868bb39528786edafe8234fdb9866a72144057d7fdf606987ff5f8e36aa72
SHA5121119109a219c1509da71b6fa44055569fdb16156158137aa334d9b5db7d903685f46ba622f5f5edc7e5e5c2dbc9b11af31ae2b00d091a716fd72f8be8f90a52f
-
Filesize
12KB
MD540ecd7af94cf00ac1da5f3efcae39030
SHA18254020b1b689e9bb85298bc6f8ed911dcf82b86
SHA256b7ee237fb12b69c54b4fd9f76e9f69df1544c1be30f214fd2423b45e4a800cdd
SHA512ba31e4ba120e80e09a4f14d9ad9dd389e5dc9e5572f0f0018d789cb586d79089d69f5e52aff03cf7254fc9bf432628862a194522552a212e6fb83bc39fe831d8
-
Filesize
1KB
MD50a997c14455000c99a040f48d5647355
SHA1be845cd9bb7ba5adf3733c2ff40b33af655a73c5
SHA2564fa74e8d657a7d45328c064e64dda0bf625b9a4364d2eb95549e2b68c287a947
SHA5122b663a6229c5d89dc557178ba82f9cc825b4e4152f5cef71a3e78d6ba78ffaeea279ce8f5d87beac993faf7c65bab7afb248131911a8fcba413178e263900742