Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
1de6fa7a84e25a1df9d24bbd4a7ae9b0
-
SHA1
96459fce9384be0e56af03f66d8338374397b10c
-
SHA256
c5a3a0e9f1c4fb0e9861b3d03c9344d9bb54767f614a39647422ccdfa37d61a7
-
SHA512
a902a921fd9cdcebe613f83478840e5fec3414fb3c17ce251f27af2f6bd2905ee2fbe2b1e0e29460c68cc125e7ef43dd63f09349311ebb7b969c000e616f012a
-
SSDEEP
384:pL7li/2zaq2DcEQvdQcJKLTp/NK9xa8v:ZCMCQ9c8v
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 4928 tmp399F.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4928 tmp399F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1800 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1800 wrote to memory of 4068 1800 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 86 PID 1800 wrote to memory of 4068 1800 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 86 PID 1800 wrote to memory of 4068 1800 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 86 PID 4068 wrote to memory of 3868 4068 vbc.exe 88 PID 4068 wrote to memory of 3868 4068 vbc.exe 88 PID 4068 wrote to memory of 3868 4068 vbc.exe 88 PID 1800 wrote to memory of 4928 1800 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 89 PID 1800 wrote to memory of 4928 1800 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 89 PID 1800 wrote to memory of 4928 1800 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vllnqkwf\vllnqkwf.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9DA684253E64FB780116760283D01.TMP"3⤵PID:3868
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp399F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp399F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b81929257c36e92e4fa9a7f7c448175e
SHA1660ae12f5dafd13c4bb856a297817f5841d5abd6
SHA256061fbad7d0384812cefb2adc4451b2afcabf8f492994a02db75f4185d50ec98b
SHA512fee0bd379ce1dcd032e53134bec87c662f929ca139cbdbdbb8ad266ce5a824b2c2ad0669c0dcd82b3a74371136cf3254bab0826a23784e0ab25dfbd3717428ea
-
Filesize
1KB
MD5c69ec76388a0384c4543b990ad5bd111
SHA11b0a352203ff2beaeaa8a42410f48e43cde53678
SHA256b56e5227368051a4d5edd97a7097572bf584715b4fb695ef9a5128b0cc4f9b62
SHA512f1fa14678dd50453ef24c8033321b3de5d7abbe6c4e977d407239443570555e3d82fd8d8fa0144ac4a4a85db1d55111dabaf77c21472cf36778016167cf6159d
-
Filesize
12KB
MD540e78cb1c8d8206b71e21373f9f6bafb
SHA1a59edf3534b08bc98fbaf53ae33438da16204d1d
SHA256220be42308fc53253268d44cd933f91071e37ff04d48927749ec4b363c5654a2
SHA5120d6013057e0c4862d66ae667778169f34b37399dc19d351500a6a8d90629fc15c9bfa4c15a906734c91dce84d0b7a88739bfb533700c6ddfa2f91f6e8af25713
-
Filesize
1KB
MD5eba2198caef66a765f2e5bcf64a3e1fb
SHA1619ef83fd3e2c21d4adf9375012727a3f2872c72
SHA2564480d4b1baf1c8e4ee7c9aa40f67f0674de87a952da680d476b76acf75f4a44a
SHA512f54870a6482bcb61b3eedd58b8c5d8ac430eae555978466ac576c80b8cc9812b502823ccf39dd1e740dc6575ba33dea558aae1393aa3307524a882c6dd00683d
-
Filesize
2KB
MD5f57d4145c3a7b1d97b37a890cfa73004
SHA1728c7be8c799d2f649f141d309d9f8bbaaf89e42
SHA256a39da59aeda47e8b31017f84c3aac28b48fded4fed0d7810ac1ccd9968a42e97
SHA51210b87af4087878f55d90dd695564a6df36a79af5eef76dfbbfc6a8edbceda98669a433d87ec0e55fd08a131d97a7b7d31ca037b01c66b2d7b2b281de30026c76
-
Filesize
273B
MD5f60f2788fc3f4d0a1a7b2c059104ba3d
SHA103ff636c41f98e12abb2abdb68f7f43651517b4a
SHA256a9245bf20afb6f35cb67db873de89f0fcca32458c370d927cf7778fa28f6f8d9
SHA5124217bd415991daf32698ceedeb184d59d2d7d72203f9b7ac636f868bcf6f929592d00ad774eb7f001f1b192227dc8c96d42ffe37c3277d97f97671f189debcaa