Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 13:16
Static task
static1
Behavioral task
behavioral1
Sample
182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
-
Size
12KB
-
MD5
182ef97364bb9b12f59442fa3997fa00
-
SHA1
5967673d4fab2ccfb0e0e1c3a9e7513bd7be4bd7
-
SHA256
803d6a9b843255fe332a86c44e4708ae2d0977ea8d94e1e09cfabd9d087ae3f7
-
SHA512
df22819d6cd19a341b8d2944403295218760312a9e25c2828464d4bb3f339047ce4fbddf72c16832f5faeb3e21bec54eb882e918a890360b7ec2076af5b459b0
-
SSDEEP
384:xL7li/2zgq2DcEQvdhcJKLTp/NK9xaNx:xkM/Q9cNx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 1880 tmp5FE4.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1880 tmp5FE4.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2708 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2708 wrote to memory of 4872 2708 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 88 PID 2708 wrote to memory of 4872 2708 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 88 PID 2708 wrote to memory of 4872 2708 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 88 PID 4872 wrote to memory of 4804 4872 vbc.exe 90 PID 4872 wrote to memory of 4804 4872 vbc.exe 90 PID 4872 wrote to memory of 4804 4872 vbc.exe 90 PID 2708 wrote to memory of 1880 2708 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 91 PID 2708 wrote to memory of 1880 2708 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 91 PID 2708 wrote to memory of 1880 2708 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p3jjnxpb\p3jjnxpb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CCB6294E11B453E878FE8A9341163.TMP"3⤵PID:4804
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5FE4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5FE4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:1880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD586f5808c2711df688ed2d4aefbc96f7f
SHA1fa414b3fac861ee1ff293b78dde357678c7777c6
SHA256ee1890c3bca3b17a85c0ed94a8a7a859823d4f7779c10edce5cdedbf44b80306
SHA5122bbbcde0623fe40969cd7d5a549176698ab8f45707956164a97cb233a2447e7675d3b1e6ab322087090e23a33169d2f3d6833e14b84d6cb0675c9f47e3058a96
-
Filesize
1KB
MD5a658c4245f28c9268b6498ad586947c8
SHA1433c7cb070a3046a75eb33d4cd7d4766c40267da
SHA256887fae0e1997fc1e77ee0964bb4b8a302ae4bc5be6d50afb171f510c3e7a139a
SHA5129d8c62bb91315003bac48a6831bcd1c51926a7fd05378c230dce4b314a72a78db7f7af8727fead290ee397fbcc82124387bf2e334fc280078b4874472c6ae2ae
-
Filesize
2KB
MD51949a02617d753a20356fba49b9c7d8a
SHA1380921a0ae1fc3f655a36ac873418b33fce3a50c
SHA256606edc0977533b99fc7ac56a8bc0fa309f5b6b5e3bbd12164142309d14bf4b4f
SHA512d16a3ff84e7f01cbce6f180f16def656719e7c58e0869a4502710ea9c0871cdb55304254ceeaeee2aa83bd6a71dd3eaa43063b14d5eea1e341f78128a89137d2
-
Filesize
273B
MD5a5dc156203421d3c7db07812b457d100
SHA1f425ce5de54994ff6a724f05624aae80602e73ca
SHA256bdf564421062cfa23919b457e93488fdcb2e2f639455a6092bfeca737dddc223
SHA512c06d15e37d667b38bd419187d9632c15cd9d12b2886bed69516c7ce7b016c7568ccc0c0c05088216ed24c3bf2116cb67119971b3fdef70d2a5b09a28b5e7ca55
-
Filesize
12KB
MD599448358c844ef93ff9481d83c41247b
SHA1597abeb5e0b2e10d80d76b2e181ceb223eb48439
SHA2566cc0e6423f3312552b2013e626c3bfacb3ed10c4849e2e2947cd58b3ed45c0cc
SHA51286771c1b0ff9a4f9d1d4a54273680696d183552cd538844d37a30db7e58a31952e1996fe8b4a8adca1ee2709490e9cc15d1b0ee5bff8ee6b4dd735847dcf164d
-
Filesize
1KB
MD559a689d5c30e7c17b58ae1dd98e72287
SHA1f386f74ee09d6c49465da9b5dacb93a4b892b541
SHA256aee0e6b2f93b9c4126f8a309c1a9667d9b12ce700f40bc3f4703af44dda09009
SHA512b82f2f3799594374ef47821a307e2b4540279c84d45708469faac17f1aa5f3332b23999af6505fc894d21e7a9878f4a8a19a6e7c80338b227d77e195d06b26dd