Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 20:54
Static task
static1
Behavioral task
behavioral1
Sample
865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe
-
Size
53KB
-
MD5
865c4f09357a2382e8cebc281f7857e0
-
SHA1
d8a25ddf9371fbef5ee0e7cce0c3e597a52b0808
-
SHA256
289577542a6f285c7d5041f2040a14550302669a25a35b6e9b957e03130ee238
-
SHA512
dc9a1f3327b8db2237b62c228c7937ab98ca89d34cbc7de5073c9de593447e1071f65eb740456886004bb557898b62cf89b1b5e704f4d4cb14f983a7f1833ca7
-
SSDEEP
384:DnfN2qlzZUrCjtfSSvUl0rBL2etVlt6SR50S8Skhe9XLt6y7+zQiF5KDLls0JK/W:J2GCpwjZ8ve9Xh6W+zQimran
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cfmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 5068 cfmon.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\taobao\cfmon.exe 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\taobao\cfmon.exe 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 3360 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cfmon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe Token: SeDebugPrivilege 3360 taskkill.exe Token: SeDebugPrivilege 5068 cfmon.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3712 wrote to memory of 4988 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe 83 PID 3712 wrote to memory of 4988 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe 83 PID 3712 wrote to memory of 4988 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe 83 PID 4988 wrote to memory of 3360 4988 cmd.exe 85 PID 4988 wrote to memory of 3360 4988 cmd.exe 85 PID 4988 wrote to memory of 3360 4988 cmd.exe 85 PID 3712 wrote to memory of 5068 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe 90 PID 3712 wrote to memory of 5068 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe 90 PID 3712 wrote to memory of 5068 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe 90 PID 3712 wrote to memory of 3224 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe 91 PID 3712 wrote to memory of 3224 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe 91 PID 3712 wrote to memory of 3224 3712 865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe 91 PID 5068 wrote to memory of 3152 5068 cfmon.exe 93 PID 5068 wrote to memory of 3152 5068 cfmon.exe 93 PID 5068 wrote to memory of 3152 5068 cfmon.exe 93 PID 3152 wrote to memory of 4628 3152 WScript.exe 95 PID 3152 wrote to memory of 4628 3152 WScript.exe 95 PID 3152 wrote to memory of 4628 3152 WScript.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im cfmon.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im cfmon.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
-
C:\Program Files\Common Files\taobao\cfmon.exe"C:\Program Files\Common Files\taobao\cfmon.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\340.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del C:\Windows\system32\drivers\etc\hosts4⤵PID:4628
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\865c4f09357a2382e8cebc281f7857e0_NeikiAnalytics.exe"2⤵PID:3224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
711B
MD52b473891d2ef2a3ff216f9e896a2499f
SHA1ce696dc77121b14f936eb1dd68547043a49e616b
SHA256c1c7c737a5248a89db3d4b30542a49ef8e9663e2d647276feab28de1a541a868
SHA5120b07b82e1ed8694526180de2e3c14c3a3529975017d03cac81b357b514ea02530d37102f25e09e0d8b3505217d92743df66bb4c57ea42a374a95faf4dace1f5d
-
Filesize
53KB
MD5121d92fde1c11fb94d13482426fca5d1
SHA1d33d1407184b2ddbaa43c2220c7b79b704c402fa
SHA2569b32fde05daf3dc9e045ad2c274bb6d61be9537191446c79cf78a5aa2864b10b
SHA5122cb517f00edfabaa9295075e4fee2c7643fad9b319fc05c94cfb5bc36226754a87654ebe2893ed29fe285a6e13ddc3ffc80afe81d9762db07da150a8ccb7b718