Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 12:55

General

  • Target

    18974c83acf231727e4f844734890560_NeikiAnalytics.exe

  • Size

    95KB

  • MD5

    18974c83acf231727e4f844734890560

  • SHA1

    7244823c17e8cc6b1c018c3cfd8687efc280cc54

  • SHA256

    e2c257633a1d0a36e870b957390f21b49872aa752ba8cebf0dd9ab052938d54d

  • SHA512

    b31f389a263b6023e5d2009148051dd594f189198f3de836b1ea7b9f0aee1d41887f300af4c6dbe7aae85cba5a87b70fe5db07f7ebd0f35b093485ac9bc3723b

  • SSDEEP

    1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU64:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/A3

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18974c83acf231727e4f844734890560_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\18974c83acf231727e4f844734890560_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\WINDOWS\VWFLH\rMX.exe
      C:\WINDOWS\VWFLH\rMX.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c echo 0>>c:\windows\nk.txt
        3⤵
        • Drops file in Windows directory
        PID:864
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4884
        • C:\WINDOWS\VWFLH\rMX.exe.exe
          C:\WINDOWS\VWFLH\rMX.exe.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:3684
          • C:\WINDOWS\VWFLH\rMX.exe
            C:\WINDOWS\VWFLH\rMX.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\WINDOWS\VWFLH\rMX.exe
              C:\WINDOWS\VWFLH\rMX.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1676
            • C:\WINDOWS\VWFLH\rMX.exe
              C:\WINDOWS\VWFLH\rMX.exe
              6⤵
              • Executes dropped EXE
              PID:932
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 80
                7⤵
                • Program crash
                PID:1964
            • C:\WINDOWS\VWFLH\rMX.exe
              C:\WINDOWS\VWFLH\rMX.exe
              6⤵
              • Executes dropped EXE
              PID:1508
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 80
                7⤵
                • Program crash
                PID:4604
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\90.vbs
            5⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2972
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\90.vbs"
              6⤵
                PID:5268
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\66.vbs
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\66.vbs"
          3⤵
          • Deletes itself
          PID:5416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1508 -ip 1508
      1⤵
        PID:2216
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 932 -ip 932
        1⤵
          PID:2608

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\66.vbs

          Filesize

          219B

          MD5

          07e544f63fbea0ef79800f29e3b41bb1

          SHA1

          0d19d62c7e610bbe227f7d2ad1a021fa88af6327

          SHA256

          092bd9c9e4e82f600169f9d5809d9f376573ffd8b5836e0cf0a2e68ab02d6128

          SHA512

          2c3e4b91f7ddbfbca84b2a8ebdce36798544928bb6bf397026b9f6de0a4dd55830af0fdf102572cd839cb28cf0afd64f7fc4cff165c4784649c1af33d69db9a2

        • C:\90.vbs

          Filesize

          162B

          MD5

          c1d0843bf37d689384e7405b21a7b49a

          SHA1

          94ebd5a768a1737e00f7736da82280bfbbf63bf6

          SHA256

          5c5fda3fe4b496d95712ae513f907b432dd26d709f1121ea6908d9624a959f06

          SHA512

          5c69ac27a9da9352bc97b3f4ac7bcf54808fdcb49e488bee151500bdea264f68d29755ef4b9d71cdd5cc84547433238bfef66fc38e7dd2524a5d8e60241dcc6b

        • C:\Windows\VWFLH\rMX.exe

          Filesize

          95KB

          MD5

          18974c83acf231727e4f844734890560

          SHA1

          7244823c17e8cc6b1c018c3cfd8687efc280cc54

          SHA256

          e2c257633a1d0a36e870b957390f21b49872aa752ba8cebf0dd9ab052938d54d

          SHA512

          b31f389a263b6023e5d2009148051dd594f189198f3de836b1ea7b9f0aee1d41887f300af4c6dbe7aae85cba5a87b70fe5db07f7ebd0f35b093485ac9bc3723b

        • C:\Windows\VWFLH\rMX.exe.exe

          Filesize

          95KB

          MD5

          710302be2d9794997d19f0e543679388

          SHA1

          204843e1489abab855263ae601c202490b4a0fc0

          SHA256

          57adfaba405afc123ebee9a1854f2f6401b94c4ef541a27b0a2ca9d8bbb63c58

          SHA512

          bd50af46ac5a7ff3ba8706a26e2fa176aaebac7cff3858bfcd9814ed5d7d53b736875c9f5122fb44d5b9da591670d2f77078bf16b2e425887889f2da478393cb

        • memory/900-8-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

          Filesize

          124KB

        • memory/1676-21-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/1676-22-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/1676-30-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/1676-34-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/1676-33-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/1676-20-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

        • memory/1984-32-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

          Filesize

          124KB

        • memory/2724-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

          Filesize

          124KB

        • memory/3684-35-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

          Filesize

          124KB