Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 00:07
Static task
static1
Behavioral task
behavioral1
Sample
4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
4edb786a77b0bab6829d8a6b570d60f0
-
SHA1
11f5d60f4acc562fcf145d9886cdcbd8539885a2
-
SHA256
384787235065f529d81f53826c0f9d34ebd52c1643250e64d1911faea633cc3b
-
SHA512
45230eee011f32f75ff775c83d92a219ac9576567e3254fc479385ec121dbd0caca1f04648dd7c5ff5def568971f97c38cfc328fd5074f98f9bd91ae3cdc3805
-
SSDEEP
384:GL7li/2zNq2DcEQvdQcJKLTp/NK9xaPA:g9MCQ9cPA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe -
Deletes itself 1 IoCs
pid Process 5032 tmp40C3.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 5032 tmp40C3.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2104 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2104 wrote to memory of 4740 2104 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 87 PID 2104 wrote to memory of 4740 2104 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 87 PID 2104 wrote to memory of 4740 2104 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 87 PID 4740 wrote to memory of 5008 4740 vbc.exe 89 PID 4740 wrote to memory of 5008 4740 vbc.exe 89 PID 4740 wrote to memory of 5008 4740 vbc.exe 89 PID 2104 wrote to memory of 5032 2104 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 90 PID 2104 wrote to memory of 5032 2104 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 90 PID 2104 wrote to memory of 5032 2104 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gewrzlfr\gewrzlfr.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5DF3EAC966BC428DB02DC1725244492.TMP"3⤵PID:5008
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp40C3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp40C3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:5032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57665274363a0be54977172a3009859ed
SHA1a56cdcd8bf95094f4bd0da74a600a9ae75d198bf
SHA2563f8067875728b43b5b6325920d67c59a8228d309208851e1ef9d928ef4cd1243
SHA512610821b24b1a68874563bcd997b9bec2811d6fdbede2cb86f773da142ccc14c30294f52c9a74c3e5c06f259a22189831388a2496507fc32ab4e043de13b3d1e3
-
Filesize
1KB
MD5e36c597863214be11400dd6cfed8e53e
SHA1d2d2e1f059c52ae85ced5f6633b98cf23263c425
SHA256548ba3ac7f217ef845d7271f30532a2971e6c6be8feff7f455ee63bae1e8492d
SHA512dd00600f4459e3a5ebec3ca85da88620cc9777958804630586719a469c0377fd31563f5558081966747aec6b0830ac4f70377a5b06265d047c317ee4d7b612e3
-
Filesize
2KB
MD5583d0003540c746f3a0bdf53d7165256
SHA1ffe6abe3906c630b7e4c2bdacab8665b2d7fa97e
SHA256f0355d615a41ed84cdc8f72a395038c1c4da76f4aa47a8df29f2cdd8384c3a53
SHA5125e6ed0d1744c10ba499c40eb05741b1aae7d2a8ed4abd1a2251fa78a1da8f36ebf37df9d72ebfc8f55e6d2764403ce9e22d4e5179366d920071eddb4c112612f
-
Filesize
273B
MD5774c32d1e6b8b3f39717effe472f40c4
SHA1f629990c03921a7aa7dfa1c651abc85aa9134c3d
SHA2565b77c56ccef6dfa0964c5d5646d32f5a0e2aeaf57fc3dcce3f1c9007d6d4e0d5
SHA512e5cbc45e29381131b39c54621ca88a8fe415ff8876b895390ee698cd89566e7ceb305991009b5400088e56cdbb260cc7d0d80a51206a647a0478a4af00561e3b
-
Filesize
12KB
MD53f2bcd0db5c4d81f345be3550755631b
SHA1eaca9621df5045e0eaf762f6431111ae7a3d443f
SHA2562fbf14d82e3bf6660f69f1b6434a14fe8fabc0294abee395707b3c0314fef864
SHA512350c2a1d79bf33adf6f1d0d9c3c7dd4f18ff0c66f179db739915785f90b831255e416631bf3b6308fed5f3ed7cf08402fb0629d5423e60b8cb4c5e8433e8de90
-
Filesize
1KB
MD590b063e776c8f8555c2d9d0523bc6d7f
SHA1d4e4a53425e27b47389465d437b23db4b487ae2a
SHA2569c3b9987f24ed16543b52cf2b5c41bbb47a57db7954b901b688518abe30cc89b
SHA51272a7bde739a8e974dec6e71bc1d1f53ca5145b438918a29e24d7a01bd04958d928a8b92c6e9497914ca93a7bb6aa822d9382aaf18c3dd9a1e19a5eb46af84e0b