Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 05:06
Behavioral task
behavioral1
Sample
9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe
-
Size
383KB
-
MD5
9c805fc3829e484ede63b33a40b13b10
-
SHA1
ec0b1354b3c5f05ab1d17968501fffa833b74466
-
SHA256
bf5e5101a0e8da1521a958ecb965bbf16142b808fa7db91318c8a39e905b6c68
-
SHA512
e1f66e3f3f0f7a390eb8df47064344a692ad5d1b45aa93eff0027a1d1e3ac2c67bfae1ff9b4d036a8c54407e4413a0dedcc51d199bdb33910d78f9a3b9f709fd
-
SSDEEP
6144:td5afqlpDHA9NtTV3okaEXnMhr1gg5YdEV1l6RXMAcfBOWq3oXY/LBFV7UMXKb3w:td5acTP+n25J1sJWWLBF2MXKb5Ol7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2808 svchost.exe -
resource yara_rule behavioral2/memory/1652-0-0x0000000000400000-0x000000000049D000-memory.dmp upx behavioral2/files/0x00090000000233f3-7.dat upx behavioral2/memory/1652-12-0x0000000000400000-0x000000000049D000-memory.dmp upx behavioral2/memory/2808-14-0x0000000000400000-0x000000000049D000-memory.dmp upx behavioral2/memory/2808-294-0x0000000000400000-0x000000000049D000-memory.dmp upx -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\feabe900 = "C:\\Windows\\apppatch\\svchost.exe" 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\pupycag.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vofycot.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lyxynyx.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyhiz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vonypom.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gatyfus.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qegyval.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyhyg.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyfuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupydeq.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qexyhuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lygyvuj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyqah.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gadyciz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galyqaz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galynuh.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vocyzit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lymyxid.com svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe File opened for modification C:\Windows\apppatch\svchost.exe 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4476 2808 WerFault.exe 83 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1652 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 1652 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe Token: SeSecurityPrivilege 1652 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe Token: SeSecurityPrivilege 2808 svchost.exe Token: SeSecurityPrivilege 2808 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2808 1652 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe 83 PID 1652 wrote to memory of 2808 1652 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe 83 PID 1652 wrote to memory of 2808 1652 9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c805fc3829e484ede63b33a40b13b10_NeikiAnalytics.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 42883⤵
- Program crash
PID:4476
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2808 -ip 28081⤵PID:1948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
383KB
MD5ef3eebab9685ca66b54fa11d3e38d0fe
SHA15d603707c6f946bea266e35cdea0064860c62e33
SHA2567322827e79ade9dcf2e20fbad3e29ce8792a8fa9db53c31846b22c939a40a58d
SHA512d4fbfb50059d302530092b0acededf526007498572066c87f52acd8c9ba74b62455b262248cbf89f403d428f8ba975ddf898db364f845a59a4d1213d2cc12f9f