Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe
-
Size
362KB
-
MD5
9cbc65a627d76a1b569a87dac366fbc0
-
SHA1
566e46ec048751ac74e3d149393884a5b278269b
-
SHA256
a9571263f1e9762aa338e9c1b272afd3d02aa41fe57990042a9b2b953d3aed6a
-
SHA512
e186800d136accf8c0cdb4226cf6489f4178021bc1c08bd1cc4546ea8ea150b9a3d6f5a67ebe230919e2c5eb469f44d40ac753958a5860f29b4e35b577b6fa8a
-
SSDEEP
3072:VBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikE8gdkSLF2:VK5ArKjbAxXSaegUqGeGpBohMERx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe -
Executes dropped EXE 3 IoCs
pid Process 1984 Devitall.exe 3868 cttureg.exe 1112 ~5B6E.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\instntui = "C:\\Users\\Admin\\AppData\\Roaming\\bitsstnm\\Devitall.exe" 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\cttureg.exe 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4068 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1984 Devitall.exe 1984 Devitall.exe 3404 Explorer.EXE 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3404 Explorer.EXE 3868 cttureg.exe 3868 cttureg.exe 3404 Explorer.EXE 3868 cttureg.exe 3404 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3404 Explorer.EXE 3404 Explorer.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE 4068 EXCEL.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3404 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2812 wrote to memory of 1984 2812 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 87 PID 2812 wrote to memory of 1984 2812 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 87 PID 2812 wrote to memory of 1984 2812 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 87 PID 1984 wrote to memory of 1112 1984 Devitall.exe 89 PID 1984 wrote to memory of 1112 1984 Devitall.exe 89 PID 1112 wrote to memory of 3404 1112 ~5B6E.tmp 56 PID 2812 wrote to memory of 4068 2812 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 90 PID 2812 wrote to memory of 4068 2812 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 90 PID 2812 wrote to memory of 4068 2812 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\bitsstnm\Devitall.exe"C:\Users\Admin\AppData\Roaming\bitsstnm\Devitall.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\~5B6E.tmp"C:\Users\Admin\AppData\Local\Temp\~5B6E.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\~5B7E.tmp.xls"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4068
-
-
-
C:\Windows\SysWOW64\cttureg.exeC:\Windows\SysWOW64\cttureg.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD53381df7bf7b83408f3906756a8302ff4
SHA15103ad8f72f63167234aa7b81af518cd686606f4
SHA256a142b561777536b9327e09a678797d72a9ea5c2dc1a6b02bda961fa9258f07ae
SHA512e78dfaf3d8d9b5f3b8349616f1086fe9075126061a3a6fa5bd6d4b4dbe9f447d5e695e3c7fe918dfdd6f294fae2e6d0ad642c05e814d9bab147bbb6b704cf9d9
-
Filesize
71KB
MD56186c22cc888081ecf6f584e5d4f6aa7
SHA1d6d75f24ed318dd6d00cc780b2926d49d4abf48c
SHA256db1590fa28b91a615d939fa430cd59d60cfc12d7da9b2fee8acbb7e7d72ffc3c
SHA51217d295231474ca7f43ee1e2b14c821f7107170a03169750114ae534d996394d0d4ba268b4438d38dadda7d169e54b55a9f6f363e7923049d97f524b4c43e97e2
-
Filesize
172KB
MD5957d44ac5f6ee048d794eb28091e6ebd
SHA143d41297909d1e94485ac0326d3ff5602042d52e
SHA2564ca4310bdea02659b55597b5a786f5eb07cb4327d1c38e59a6f075948dc53a7c
SHA512a5ecb584b6cecaf9998ac7957c4a2bd7d2ca954c5bd7d5dcaf49bd1f202b4286e71d48779ca6fde36e2649cc09696bcebf3e7306cb6595c8aa31dd567183dfdd
-
Filesize
362KB
MD59cbc65a627d76a1b569a87dac366fbc0
SHA1566e46ec048751ac74e3d149393884a5b278269b
SHA256a9571263f1e9762aa338e9c1b272afd3d02aa41fe57990042a9b2b953d3aed6a
SHA512e186800d136accf8c0cdb4226cf6489f4178021bc1c08bd1cc4546ea8ea150b9a3d6f5a67ebe230919e2c5eb469f44d40ac753958a5860f29b4e35b577b6fa8a