Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0b1026a72a...cs.dll

windows7-x64

1

0b1026a72a...cs.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 22:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b1026a72a44af785f1fdf60d876d440_NeikiAnalytics.dll

  • Size

    304KB

  • MD5

    0b1026a72a44af785f1fdf60d876d440

  • SHA1

    ace04fb4983400217d2d9882e5649e40a73f78aa

  • SHA256

    04b00f64881e841e5d020b3f34853cb08db06d48fb0d06b927912a7372837193

  • SHA512

    d79ad3bf0645568df75b3d0238d9a0dcbc2493060d0cb9fb45f9730a8102a9ab4d03c6d186d7b9d4fc53cbac9314d54dafdc1db930bad5a71d0af38fcdc92ec5

  • SSDEEP

    6144:bXY1Ku5iEM7Wm3rRVgEvcDAwyJupD74ztWFqA95gOdX+umC:uKxXfRV0AwysZFZ5pX

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 58 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 62 IoCs
  • Modifies registry class 47 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0b1026a72a44af785f1fdf60d876d440_NeikiAnalytics.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\0b1026a72a44af785f1fdf60d876d440_NeikiAnalytics.dll
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\56CB.tmp
        C:\Users\Admin\AppData\Local\Temp\56CB.tmp
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        PID:3668

Network

  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    2.17.196.137:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Thu, 09 May 2024 22:07:34 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.85c41102.1715292454.5457641
  • flag-us
    DNS
    37.56.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    37.56.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    137.196.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    137.196.17.2.in-addr.arpa
    IN PTR
    Response
    137.196.17.2.in-addr.arpa
    IN PTR
    a2-17-196-137deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    35.15.31.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    35.15.31.184.in-addr.arpa
    IN PTR
    Response
    35.15.31.184.in-addr.arpa
    IN PTR
    a184-31-15-35deploystaticakamaitechnologiescom
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    35.56.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    35.56.20.217.in-addr.arpa
    IN PTR
    Response
  • 2.17.196.137:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.4kB
     6.3kB
     16
    11

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    37.56.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    37.56.20.217.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    137.196.17.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    137.196.17.2.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    35.15.31.184.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    35.15.31.184.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    35.56.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    35.56.20.217.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\56CB.tmp
    Filesize

    145KB

    MD5

    c610e7ccd6859872c585b2a85d7dc992

    SHA1

    362b3d4b72e3add687c209c79b500b7c6a246d46

    SHA256

    14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

    SHA512

    8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

    Download Submit

  • memory/1376-0-0x00000000026E0000-0x000000000271A000-memory.dmp

    Filesize

    232KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.