Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe
-
Size
136KB
-
MD5
44dbf53170b964b9da3f2bca8dad30c0
-
SHA1
a7f03af3ae3decfba18e38d915252bbb9ff79b4c
-
SHA256
32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891
-
SHA512
7076a0cdd5ce698eb9532ad3adc23491f771e3a9f00c6e8e3a674ce54fe63e3e461a08da220e63debc372ede25d9d144e9918c7a8acf4fa16bf4af7bd94fbef4
-
SSDEEP
1536:S4+aEpOwd/VxDy/5X2++jCx3kdjKsPGR7ehp3vmLvsZIZwTcNhLx8bZJLtgliY4V:obpDCw1p3vmLvsZIaVvq7TW
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 4228 avscan.exe 3240 avscan.exe 1220 hosts.exe 1344 hosts.exe 3088 avscan.exe 1984 hosts.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager REG.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc REG.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\W_X_C.vbs 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe File created \??\c:\windows\W_X_C.bat 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
pid Process 1108 REG.exe 4256 REG.exe 456 REG.exe 4608 REG.exe 2748 REG.exe 3148 REG.exe 2500 REG.exe 1444 REG.exe 4472 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4228 avscan.exe 1220 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 4228 avscan.exe 3240 avscan.exe 1344 hosts.exe 1220 hosts.exe 3088 avscan.exe 1984 hosts.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1892 wrote to memory of 4256 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 81 PID 1892 wrote to memory of 4256 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 81 PID 1892 wrote to memory of 4256 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 81 PID 1892 wrote to memory of 4228 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 83 PID 1892 wrote to memory of 4228 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 83 PID 1892 wrote to memory of 4228 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 83 PID 4228 wrote to memory of 3240 4228 avscan.exe 84 PID 4228 wrote to memory of 3240 4228 avscan.exe 84 PID 4228 wrote to memory of 3240 4228 avscan.exe 84 PID 4228 wrote to memory of 1792 4228 avscan.exe 85 PID 4228 wrote to memory of 1792 4228 avscan.exe 85 PID 4228 wrote to memory of 1792 4228 avscan.exe 85 PID 1892 wrote to memory of 3700 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 86 PID 1892 wrote to memory of 3700 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 86 PID 1892 wrote to memory of 3700 1892 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe 86 PID 3700 wrote to memory of 1220 3700 cmd.exe 90 PID 3700 wrote to memory of 1220 3700 cmd.exe 90 PID 3700 wrote to memory of 1220 3700 cmd.exe 90 PID 1792 wrote to memory of 1344 1792 cmd.exe 89 PID 1792 wrote to memory of 1344 1792 cmd.exe 89 PID 1792 wrote to memory of 1344 1792 cmd.exe 89 PID 1220 wrote to memory of 3088 1220 hosts.exe 91 PID 1220 wrote to memory of 3088 1220 hosts.exe 91 PID 1220 wrote to memory of 3088 1220 hosts.exe 91 PID 1220 wrote to memory of 468 1220 hosts.exe 92 PID 1220 wrote to memory of 468 1220 hosts.exe 92 PID 1220 wrote to memory of 468 1220 hosts.exe 92 PID 1792 wrote to memory of 2256 1792 cmd.exe 93 PID 1792 wrote to memory of 2256 1792 cmd.exe 93 PID 1792 wrote to memory of 2256 1792 cmd.exe 93 PID 3700 wrote to memory of 4052 3700 cmd.exe 94 PID 3700 wrote to memory of 4052 3700 cmd.exe 94 PID 3700 wrote to memory of 4052 3700 cmd.exe 94 PID 468 wrote to memory of 1984 468 cmd.exe 97 PID 468 wrote to memory of 1984 468 cmd.exe 97 PID 468 wrote to memory of 1984 468 cmd.exe 97 PID 468 wrote to memory of 1244 468 cmd.exe 98 PID 468 wrote to memory of 1244 468 cmd.exe 98 PID 468 wrote to memory of 1244 468 cmd.exe 98 PID 4228 wrote to memory of 456 4228 avscan.exe 101 PID 4228 wrote to memory of 456 4228 avscan.exe 101 PID 4228 wrote to memory of 456 4228 avscan.exe 101 PID 1220 wrote to memory of 2500 1220 hosts.exe 103 PID 1220 wrote to memory of 2500 1220 hosts.exe 103 PID 1220 wrote to memory of 2500 1220 hosts.exe 103 PID 4228 wrote to memory of 4608 4228 avscan.exe 110 PID 4228 wrote to memory of 4608 4228 avscan.exe 110 PID 4228 wrote to memory of 4608 4228 avscan.exe 110 PID 1220 wrote to memory of 2748 1220 hosts.exe 112 PID 1220 wrote to memory of 2748 1220 hosts.exe 112 PID 1220 wrote to memory of 2748 1220 hosts.exe 112 PID 4228 wrote to memory of 1444 4228 avscan.exe 114 PID 4228 wrote to memory of 1444 4228 avscan.exe 114 PID 4228 wrote to memory of 1444 4228 avscan.exe 114 PID 1220 wrote to memory of 3148 1220 hosts.exe 116 PID 1220 wrote to memory of 3148 1220 hosts.exe 116 PID 1220 wrote to memory of 3148 1220 hosts.exe 116 PID 4228 wrote to memory of 1108 4228 avscan.exe 118 PID 4228 wrote to memory of 1108 4228 avscan.exe 118 PID 4228 wrote to memory of 1108 4228 avscan.exe 118 PID 1220 wrote to memory of 4472 1220 hosts.exe 120 PID 1220 wrote to memory of 4472 1220 hosts.exe 120 PID 1220 wrote to memory of 4472 1220 hosts.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
PID:4256
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:2256
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:456
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:4608
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1444
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468 -
C:\windows\hosts.exeC:\windows\hosts.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"5⤵
- Adds policy Run key to start application
PID:1244
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:2500
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:2748
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:3148
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:4472
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:4052
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5c550d9b404e6f175066c05afe7b1ab46
SHA15062911563003e3d83d0202ac7908ea3591afd80
SHA25637d7f412f7036c3dfaa19c4cde9f8f9f1eba487c4e7a6a187a15c146341208f6
SHA5125d5fe151a880f9d333d0cfdc9cf19eaaa9f7a870aef2cef442ca5892f7e7b4828490a778abe1a418add64507de590f6f8038999df3aca82eaa50552988079b8c
-
Filesize
195B
MD52bf5a187f48b0e3c967d35345b39cf75
SHA15dc7cfa3b9818baa039314fd49d38825a88f30f2
SHA2569676e777e8eec50aa91525d3c0ed7c17047ddf363cb28a83a474c2840cd4c7b1
SHA5121f0c2d5fadc2304f910caf7569a968b1824687cb57dd8f470dc67b8262cb009809c83ea626f2f99d9ce4e8113efb46c53b979f6dc3113433f7503ca4d119e16c
-
Filesize
136KB
MD5f7a3d779828fea2783673da73bb7b53d
SHA174019771345c5f73d46aa749b0145b5785ccf8e8
SHA25637a4a86330ae5cc0dd9f21d2f6266324e0b6475d696b0605c8895f5ed626a714
SHA5123f3be0b211bd897d772520a32345b47357254681c61042f22b6b5035b2ae6906dd669d054c99cc2526e78c57d098dd5021fd18bf3e22344b52d2a725c3c9fda1
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b