Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 12:55
Static task
static1
Behavioral task
behavioral1
Sample
18974c83acf231727e4f844734890560_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
18974c83acf231727e4f844734890560_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
18974c83acf231727e4f844734890560_NeikiAnalytics.exe
-
Size
95KB
-
MD5
18974c83acf231727e4f844734890560
-
SHA1
7244823c17e8cc6b1c018c3cfd8687efc280cc54
-
SHA256
e2c257633a1d0a36e870b957390f21b49872aa752ba8cebf0dd9ab052938d54d
-
SHA512
b31f389a263b6023e5d2009148051dd594f189198f3de836b1ea7b9f0aee1d41887f300af4c6dbe7aae85cba5a87b70fe5db07f7ebd0f35b093485ac9bc3723b
-
SSDEEP
1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU64:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/A3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation cmd.exe -
Deletes itself 1 IoCs
pid Process 5416 WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 900 rMX.exe 3684 rMX.exe.exe 1984 rMX.exe 1676 rMX.exe 932 rMX.exe 1508 rMX.exe -
resource yara_rule behavioral2/memory/1676-20-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/1676-22-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/1676-21-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/1676-30-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/1676-34-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/1676-33-0x0000000010000000-0x000000001002A000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1984 set thread context of 1676 1984 rMX.exe 90 PID 1984 set thread context of 932 1984 rMX.exe 91 PID 1984 set thread context of 1508 1984 rMX.exe 92 -
Drops file in Windows directory 9 IoCs
description ioc Process File created \??\c:\windows\rMX.exe.bat rMX.exe File opened for modification \??\c:\windows\nk.txt cmd.exe File created \??\c:\windows\rMX.exe.bat rMX.exe File created C:\WINDOWS\VWFLH\rMX.exe 18974c83acf231727e4f844734890560_NeikiAnalytics.exe File opened for modification C:\WINDOWS\VWFLH\rMX.exe 18974c83acf231727e4f844734890560_NeikiAnalytics.exe File created C:\WINDOWS\VWFLH\rMX.exe.exe rMX.exe File opened for modification C:\WINDOWS\VWFLH\rMX.exe.exe rMX.exe File created C:\WINDOWS\VWFLH\rMX.exe rMX.exe.exe File opened for modification C:\WINDOWS\VWFLH\rMX.exe rMX.exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4604 1508 WerFault.exe 92 1964 932 WerFault.exe 91 -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1676 rMX.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2724 wrote to memory of 900 2724 18974c83acf231727e4f844734890560_NeikiAnalytics.exe 81 PID 2724 wrote to memory of 900 2724 18974c83acf231727e4f844734890560_NeikiAnalytics.exe 81 PID 2724 wrote to memory of 900 2724 18974c83acf231727e4f844734890560_NeikiAnalytics.exe 81 PID 900 wrote to memory of 864 900 rMX.exe 82 PID 900 wrote to memory of 864 900 rMX.exe 82 PID 900 wrote to memory of 864 900 rMX.exe 82 PID 900 wrote to memory of 4884 900 rMX.exe 83 PID 900 wrote to memory of 4884 900 rMX.exe 83 PID 900 wrote to memory of 4884 900 rMX.exe 83 PID 2724 wrote to memory of 2072 2724 18974c83acf231727e4f844734890560_NeikiAnalytics.exe 84 PID 2724 wrote to memory of 2072 2724 18974c83acf231727e4f844734890560_NeikiAnalytics.exe 84 PID 2724 wrote to memory of 2072 2724 18974c83acf231727e4f844734890560_NeikiAnalytics.exe 84 PID 4884 wrote to memory of 3684 4884 cmd.exe 88 PID 4884 wrote to memory of 3684 4884 cmd.exe 88 PID 4884 wrote to memory of 3684 4884 cmd.exe 88 PID 3684 wrote to memory of 1984 3684 rMX.exe.exe 89 PID 3684 wrote to memory of 1984 3684 rMX.exe.exe 89 PID 3684 wrote to memory of 1984 3684 rMX.exe.exe 89 PID 1984 wrote to memory of 1676 1984 rMX.exe 90 PID 1984 wrote to memory of 1676 1984 rMX.exe 90 PID 1984 wrote to memory of 1676 1984 rMX.exe 90 PID 1984 wrote to memory of 1676 1984 rMX.exe 90 PID 1984 wrote to memory of 1676 1984 rMX.exe 90 PID 1984 wrote to memory of 1676 1984 rMX.exe 90 PID 1984 wrote to memory of 1676 1984 rMX.exe 90 PID 1984 wrote to memory of 1676 1984 rMX.exe 90 PID 1984 wrote to memory of 932 1984 rMX.exe 91 PID 1984 wrote to memory of 932 1984 rMX.exe 91 PID 1984 wrote to memory of 932 1984 rMX.exe 91 PID 1984 wrote to memory of 932 1984 rMX.exe 91 PID 1984 wrote to memory of 1508 1984 rMX.exe 92 PID 1984 wrote to memory of 1508 1984 rMX.exe 92 PID 1984 wrote to memory of 1508 1984 rMX.exe 92 PID 1984 wrote to memory of 1508 1984 rMX.exe 92 PID 3684 wrote to memory of 2972 3684 rMX.exe.exe 94 PID 3684 wrote to memory of 2972 3684 rMX.exe.exe 94 PID 3684 wrote to memory of 2972 3684 rMX.exe.exe 94 PID 2072 wrote to memory of 5416 2072 cmd.exe 97 PID 2072 wrote to memory of 5416 2072 cmd.exe 97 PID 2072 wrote to memory of 5416 2072 cmd.exe 97 PID 2972 wrote to memory of 5268 2972 cmd.exe 101 PID 2972 wrote to memory of 5268 2972 cmd.exe 101 PID 2972 wrote to memory of 5268 2972 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\18974c83acf231727e4f844734890560_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18974c83acf231727e4f844734890560_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\cmd.execmd /c echo 0>>c:\windows\nk.txt3⤵
- Drops file in Windows directory
PID:864
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\WINDOWS\VWFLH\rMX.exe.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\WINDOWS\VWFLH\rMX.exe.exeC:\WINDOWS\VWFLH\rMX.exe.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe6⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 807⤵
- Program crash
PID:1964
-
-
-
C:\WINDOWS\VWFLH\rMX.exeC:\WINDOWS\VWFLH\rMX.exe6⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 807⤵
- Program crash
PID:4604
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\90.vbs5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\90.vbs"6⤵PID:5268
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\66.vbs2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\66.vbs"3⤵
- Deletes itself
PID:5416
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1508 -ip 15081⤵PID:2216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 932 -ip 9321⤵PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219B
MD507e544f63fbea0ef79800f29e3b41bb1
SHA10d19d62c7e610bbe227f7d2ad1a021fa88af6327
SHA256092bd9c9e4e82f600169f9d5809d9f376573ffd8b5836e0cf0a2e68ab02d6128
SHA5122c3e4b91f7ddbfbca84b2a8ebdce36798544928bb6bf397026b9f6de0a4dd55830af0fdf102572cd839cb28cf0afd64f7fc4cff165c4784649c1af33d69db9a2
-
Filesize
162B
MD5c1d0843bf37d689384e7405b21a7b49a
SHA194ebd5a768a1737e00f7736da82280bfbbf63bf6
SHA2565c5fda3fe4b496d95712ae513f907b432dd26d709f1121ea6908d9624a959f06
SHA5125c69ac27a9da9352bc97b3f4ac7bcf54808fdcb49e488bee151500bdea264f68d29755ef4b9d71cdd5cc84547433238bfef66fc38e7dd2524a5d8e60241dcc6b
-
Filesize
95KB
MD518974c83acf231727e4f844734890560
SHA17244823c17e8cc6b1c018c3cfd8687efc280cc54
SHA256e2c257633a1d0a36e870b957390f21b49872aa752ba8cebf0dd9ab052938d54d
SHA512b31f389a263b6023e5d2009148051dd594f189198f3de836b1ea7b9f0aee1d41887f300af4c6dbe7aae85cba5a87b70fe5db07f7ebd0f35b093485ac9bc3723b
-
Filesize
95KB
MD5710302be2d9794997d19f0e543679388
SHA1204843e1489abab855263ae601c202490b4a0fc0
SHA25657adfaba405afc123ebee9a1854f2f6401b94c4ef541a27b0a2ca9d8bbb63c58
SHA512bd50af46ac5a7ff3ba8706a26e2fa176aaebac7cff3858bfcd9814ed5d7d53b736875c9f5122fb44d5b9da591670d2f77078bf16b2e425887889f2da478393cb