Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

428243aa08...cs.exe

windows7-x64

7

428243aa08...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 10:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe

  • Size

    2.7MB

  • MD5

    428243aa08704d9c8b526686cf95cff0

  • SHA1

    471b56b81e6b0bc1e8ffe398f59b92b6d1d1911c

  • SHA256

    75173bab8fb15d74f91116a64626113a34af841c5d24a46ee523177e925da1d5

  • SHA512

    0274f363fb3d06c83368d635df055373ad7271d93c3b5114fa5cc2cd371b61ee3cf2751a9cc86cf6bb45ce401321cbd920a7ac4fc95510fa818ca7467355b1b2

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4Sx:+R0pI/IQlUoMPdmpSpj4

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\428243aa08704d9c8b526686cf95cff0_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Files4U\devdobsys.exe
      C:\Files4U\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5076
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1956 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1300

    Network

    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      89.65.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      89.65.42.20.in-addr.arpa
      IN PTR
      Response
    • 172.217.169.74:443
      46 B
       40 B
       1
      1
    • 13.107.253.64:443
      46 B
       40 B
       1
      1
    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      89.65.42.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      89.65.42.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Files4U\devdobsys.exe
      Filesize

      2.7MB

      MD5

      2a9b24158082f083adf596dcc0fa5943

      SHA1

      d4a6d1634abc94e8f844ca2dc530b4ed542013e3

      SHA256

      49cce836c465aab077d90ad7f9c67a41f4a41f3646441dad128de4a8a9ec6870

      SHA512

      14f44d089fa6c009203dfd67634b0731baef1dbc7174026a5da85ea5d7344e7b3a22e3dfc96b23fabab52a8f1528d8c6f58d7ac08de1cab7b8c8283c0e5cb496

      Download Submit

    • C:\KaVBRQ\dobxloc.exe
      Filesize

      45KB

      MD5

      e9f1c35cd88fa326c03b07610034db02

      SHA1

      84b21aab3b1e745f5005d594236c499bc6892d3f

      SHA256

      6d3701e4dded8faf0c9a7f29b51851ae759e62ea9667a0c52047ddbed1915c5d

      SHA512

      d48996f9713a650a8d62a3d07d5feeeb2691db39b97ff63f93d26aa3a6c15bbc9c09cf0b2dbcc0d7bd9ce86c10ed31937911946d004435661e30ddea1d2bf35d

      Download Submit

    • C:\Users\Admin\253086396416_10.0_Admin.ini
      Filesize

      202B

      MD5

      4e03edaa272bbc868173907c66bd79c9

      SHA1

      79a0864e6e6c5646ba7354580778d4c5034656a9

      SHA256

      368cadf7196abfa4e948dc7579ec4a4ecb0b48139b9adc8abfd19512cf4da9b3

      SHA512

      d1ed2c2d845467b321bb5f2a2b961c702e6daac7c0d7504c07472cc95275d1f213a1258a308fbed178907ee92b9dda787153dc409f60f9bc66b1c8093f84c5ab

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.