Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
60975a24d0d5bca2ac9dbbb8670673a0
-
SHA1
0dcde229be7c44eaf6d1bbb928d348069da35cc1
-
SHA256
5863ab1c9f2e011e13b02536e160a75582f946e52af1f89311d8db68363b77fb
-
SHA512
9488d131d4a0d2fc9ca647da392fff57efde85b578b7afe20a11fc36f1303c80f15978e9d9542604b5293fceaa42389792f674a63aa3248948bd2a93378b4398
-
SSDEEP
384:fL7li/2zuq2DcEQvdQcJKLTp/NK9xaI1:T2MCQ9cI1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 4776 tmp3DC5.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4776 tmp3DC5.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3612 60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3612 wrote to memory of 4652 3612 60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe 85 PID 3612 wrote to memory of 4652 3612 60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe 85 PID 3612 wrote to memory of 4652 3612 60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe 85 PID 4652 wrote to memory of 2964 4652 vbc.exe 87 PID 4652 wrote to memory of 2964 4652 vbc.exe 87 PID 4652 wrote to memory of 2964 4652 vbc.exe 87 PID 3612 wrote to memory of 4776 3612 60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe 88 PID 3612 wrote to memory of 4776 3612 60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe 88 PID 3612 wrote to memory of 4776 3612 60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omsp0d1s\omsp0d1s.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EDE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71C52FB094A64DB9A33EC49F8C0D9D9.TMP"3⤵PID:2964
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3DC5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3DC5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a7aea68b942a17da9fb948e88226ed6f
SHA1941159b6299ea4820873222c84e51ba6a6117090
SHA25635aa515096aae57194f0b42cb5b96b132f21543b962973aa6ea0614db0b3ca53
SHA5127c903c999388cea14ecca99e2695c0445b6c3310d917be9e6771ecc70b1a69cd9584a07a0c6142723810f0fb613fa851e273a89572480710972d83b062f30f29
-
Filesize
1KB
MD5eb67d96598f25b3a89b874246118ef43
SHA1d7808a690682ff9acbc6c272dd37c152e26e9600
SHA25683bbc22e9e3be8ac3fa83e8379d374c2c4d5def33dbb32ede880843900d1a263
SHA5122669f8fcb7bb3ede2900e5e49a55411c690257a3305ab67ba2aa88a98904b8d329df293c76da1792be5617a56b0aeeb77c81f1330c11f8614d6b2ce8f2707015
-
Filesize
2KB
MD5a4ae228a240cbf62133504dd1af6074d
SHA133f12d9ed86faa35d8d1e1b948dc34fbfe61ddd0
SHA256596ae72ffa357ec348145431d26c245c20e2513828339202240f999b0cfb1783
SHA512aa350b291eafd3c1e01809b3068e74ea8093ee061393e289afa2b445f6dfe44b1ccedffb2806af8e43d7b41627f8d8222b25c60e3481ee8148a5d08c70940ec1
-
Filesize
273B
MD5ce7979a7c45f7ee945423e799ba948b4
SHA1259d1c46c4bbc850994fe37b374af1c26a90b918
SHA256835d6a3c9262cfd06808261b95b36fda6bad42eb7a22bf76404768ec194ee1d3
SHA5127a6042320b91c8815b180e39297b1f78d0f015e8538460206a665f25f302b0ccbb3af7fbc47a1ec14db3873e60b5b74fdc9b5aea089ff2d7fef1bbb829ed4e1f
-
Filesize
12KB
MD5b4b9abbf5729aa531a0ab7c3e84672cb
SHA1e0d2dbcb361666e167ea24f28717602cac3d046f
SHA2569e051d3d439e3e4020a3b593b14df5ab01c33421a98dbb49c2eb5c211d6b50d0
SHA512d4a8b9fe13475018302ec27d8c8abf6e5843d8554cc5a6059d7b9cb7e5568127ac11a0acb5260bfa9b2b894f6d8ca0ad7dfce6dbdcfded4fc8ce2189ea84e49d
-
Filesize
1KB
MD5178f398c42f3bda323140187f66c9a1d
SHA1ef983aa304088ebb7bd07227abe4801a63b88b2c
SHA2567bb596e0a2c3304d41f17a44f1f925fe9306d5600fc6389dc7a7552d733cb202
SHA512f9d5a0f173b6a8b6d5e716a37d9ffb095c43ad60446a0cdc951d320ff0f025fad06fb85521e31dc7d6a971f72bec4635e3c1c2796568de0edfbcb2d43e01624b