Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 21:19
Static task
static1
Behavioral task
behavioral1
Sample
116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
b7d5b22aaeab5b419389db0647ba4f60
-
SHA1
f8aca4756c7cb1d843dd734ac5582e8540dab8e6
-
SHA256
116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226
-
SHA512
dc8b9112ae37b65d7371bde6d5a6e0aa2ddacdffb227c5ad3051e03cb40a586ee8699ddb3ce437c96804826d8ce32280455935be9731afb5a5d0c33332860b24
-
SSDEEP
6144:gDCwfqDCwfyDDCwfADCwfyDDCwfqDCwfyDDCwfazhDCwfazrDCwfqDCG:g7q7yD7A7yD7q7yD7azh7azr7qb
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat" WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 1336 avscan.exe 3612 avscan.exe 2524 hosts.exe 4932 hosts.exe 3528 avscan.exe 3816 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys REG.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\W_X_C.vbs 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe File created \??\c:\windows\W_X_C.bat 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
pid Process 4828 REG.exe 2340 REG.exe 3512 REG.exe 5756 REG.exe 4856 REG.exe 5944 REG.exe 1684 REG.exe 2200 REG.exe 4036 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1336 avscan.exe 2524 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 1336 avscan.exe 3612 avscan.exe 2524 hosts.exe 4932 hosts.exe 3528 avscan.exe 3816 hosts.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1348 wrote to memory of 4828 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 81 PID 1348 wrote to memory of 4828 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 81 PID 1348 wrote to memory of 4828 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 81 PID 1348 wrote to memory of 1336 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 83 PID 1348 wrote to memory of 1336 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 83 PID 1348 wrote to memory of 1336 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 83 PID 1336 wrote to memory of 3612 1336 avscan.exe 84 PID 1336 wrote to memory of 3612 1336 avscan.exe 84 PID 1336 wrote to memory of 3612 1336 avscan.exe 84 PID 1336 wrote to memory of 1592 1336 avscan.exe 85 PID 1336 wrote to memory of 1592 1336 avscan.exe 85 PID 1336 wrote to memory of 1592 1336 avscan.exe 85 PID 1348 wrote to memory of 4272 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 86 PID 1348 wrote to memory of 4272 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 86 PID 1348 wrote to memory of 4272 1348 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe 86 PID 1592 wrote to memory of 2524 1592 cmd.exe 89 PID 1592 wrote to memory of 2524 1592 cmd.exe 89 PID 1592 wrote to memory of 2524 1592 cmd.exe 89 PID 4272 wrote to memory of 4932 4272 cmd.exe 90 PID 4272 wrote to memory of 4932 4272 cmd.exe 90 PID 4272 wrote to memory of 4932 4272 cmd.exe 90 PID 2524 wrote to memory of 3528 2524 hosts.exe 91 PID 2524 wrote to memory of 3528 2524 hosts.exe 91 PID 2524 wrote to memory of 3528 2524 hosts.exe 91 PID 1592 wrote to memory of 3104 1592 cmd.exe 93 PID 1592 wrote to memory of 3104 1592 cmd.exe 93 PID 1592 wrote to memory of 3104 1592 cmd.exe 93 PID 2524 wrote to memory of 5660 2524 hosts.exe 94 PID 2524 wrote to memory of 5660 2524 hosts.exe 94 PID 2524 wrote to memory of 5660 2524 hosts.exe 94 PID 4272 wrote to memory of 1828 4272 cmd.exe 96 PID 4272 wrote to memory of 1828 4272 cmd.exe 96 PID 4272 wrote to memory of 1828 4272 cmd.exe 96 PID 5660 wrote to memory of 3816 5660 cmd.exe 97 PID 5660 wrote to memory of 3816 5660 cmd.exe 97 PID 5660 wrote to memory of 3816 5660 cmd.exe 97 PID 5660 wrote to memory of 4572 5660 cmd.exe 98 PID 5660 wrote to memory of 4572 5660 cmd.exe 98 PID 5660 wrote to memory of 4572 5660 cmd.exe 98 PID 1336 wrote to memory of 2340 1336 avscan.exe 107 PID 1336 wrote to memory of 2340 1336 avscan.exe 107 PID 1336 wrote to memory of 2340 1336 avscan.exe 107 PID 2524 wrote to memory of 3512 2524 hosts.exe 109 PID 2524 wrote to memory of 3512 2524 hosts.exe 109 PID 2524 wrote to memory of 3512 2524 hosts.exe 109 PID 1336 wrote to memory of 5944 1336 avscan.exe 112 PID 1336 wrote to memory of 5944 1336 avscan.exe 112 PID 1336 wrote to memory of 5944 1336 avscan.exe 112 PID 2524 wrote to memory of 1684 2524 hosts.exe 114 PID 2524 wrote to memory of 1684 2524 hosts.exe 114 PID 2524 wrote to memory of 1684 2524 hosts.exe 114 PID 1336 wrote to memory of 5756 1336 avscan.exe 116 PID 1336 wrote to memory of 5756 1336 avscan.exe 116 PID 1336 wrote to memory of 5756 1336 avscan.exe 116 PID 2524 wrote to memory of 4856 2524 hosts.exe 118 PID 2524 wrote to memory of 4856 2524 hosts.exe 118 PID 2524 wrote to memory of 4856 2524 hosts.exe 118 PID 1336 wrote to memory of 2200 1336 avscan.exe 120 PID 1336 wrote to memory of 2200 1336 avscan.exe 120 PID 1336 wrote to memory of 2200 1336 avscan.exe 120 PID 2524 wrote to memory of 4036 2524 hosts.exe 122 PID 2524 wrote to memory of 4036 2524 hosts.exe 122 PID 2524 wrote to memory of 4036 2524 hosts.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5660 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3816
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
PID:4572
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:3512
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1684
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:4856
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:4036
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:3104
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2340
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:5944
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:5756
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4932
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:1828
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5235a7cf05fdbf8e180fd10a026250010
SHA14fc1e5466ed9f84cb177e51765f36a849a828f6d
SHA256228fd3806c8bf9f6c017f61f48dca787844a8781ecaf69bd2770cd67b7bf39f7
SHA512dd62a108df38cd542db4d2dca4654e7b3f2a6e5aabc17e61063b8b03f6805c9fbf33656fcbb0c4cabbc36f6450d56f2fc9d4978b76f9a1333c4983ad50dd210b
-
Filesize
195B
MD51b97fc0bf80f44c04514817b1c7449e7
SHA11b32070bd87946ce42e7c3e49a47e282b2622852
SHA256e756c1e489a198dd4dd1536efb045f4a14054e7902931f6af0cf13343f60cb4c
SHA512be89f25cf5ba8635dda55c20c249233c68a488d9a76f73f4a259dc994c26938b58a57b67f16d6ce477213b27f19bdc3ca6e43443925fa218f58418e128eb7fc2
-
Filesize
1.3MB
MD563974865ff2681c0eabaf0993bce6445
SHA15744993b660e9f482fee520e044d4d04bb1fcd75
SHA256b9a0a44aa5d7f6f34c6649e55ecc7815843942a7ee51a5e6d0154e899a7adc5d
SHA512d9593305e83f3e13218f87d22cdd8edef044362774399b5e3e568a3dc78480247d0a5f14114bb386a75ba5db5a58fe7468cedd8d6ff3005dc5e074859314eac8
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b