Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e877518128...cs.exe

windows7-x64

7

e877518128...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe

  • Size

    73KB

  • MD5

    e877518128cf87d1ba0331e86fae93c0

  • SHA1

    e6636ce3d518aa5bd1917be328a9dab032fcedb4

  • SHA256

    9e8123b7355aece1c48ad55899c17f0fd78aca0b877148f2895241a4776e8852

  • SHA512

    af597456020183a9d4bc37acbdbddf2dc6d68b9a65ae6966ad97d5a151a36bbf252a3bf4c65ef578ddf0ac479e41342e4cc3817e52bef7876218fa434d1aa35f

  • SSDEEP

    1536:gjIewPQsrz8haFpmqr76/Y3WLptb4yzwC132n6sLDDO:gjIpPN8QFda/2Yb4yzjsLXO

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3472
      • C:\Users\Admin\AppData\Local\Temp\e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3544
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5108
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:1996
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A9E.bat
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Users\Admin\AppData\Local\Temp\e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe
              "C:\Users\Admin\AppData\Local\Temp\e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe"
              4⤵
              • Executes dropped EXE
              PID:3196
          • C:\Windows\Logo1_.exe
            C:\Windows\Logo1_.exe
            3⤵
            • Drops startup file
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2968
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2608
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                5⤵
                  PID:1260
              • C:\Windows\SysWOW64\net.exe
                net stop "Kingsoft AntiVirus Service"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4528
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                  5⤵
                    PID:212

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            Filesize

            265KB

            MD5

            4cc64235c6003981db1ea177c2b87212

            SHA1

            38502de6b6e9736e40c6b2123112453445961173

            SHA256

            74e78dde7778e26c94f9ce2be244d2ee190f32974634758a1e4ff04cd9ef5c11

            SHA512

            f15285baa9d7cff9185babd79a58450b7bb543abd29de183541f87a056ac80ca8c96e37fd0c487a6eae56092e49847aab279842642e4767c67e5087785d1cf55

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            584KB

            MD5

            22ccee2ab087cc30c90e4dcc1c18f579

            SHA1

            a20e32e0cf82d7385c99958f018c3c574bb21fc1

            SHA256

            f477c15e8aad1bc5af96d8a912d90605bfd753e1f4049e1d0a0416807ee48ca1

            SHA512

            52cfacb24b07001501d713fb99cde3d5f4f80a8a7e847ea5725b94d4709082149d694307dd2dc82117fa6853d55c46aba62c5de37a0ee1146c2f8fbccc26edf2

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            650KB

            MD5

            c0651f5f5ed8c9967b91a89a86cc4dc4

            SHA1

            6866b91667021c6cc7fd680451a5ea183dce3cd1

            SHA256

            d09336ea46c4c6e8b83dff2aa4bd31d9e993bcd572e6b274449adc5f9e51627d

            SHA512

            1cf7354f1b204415fd099c1fdaeecda5f0daec86948cee48da433d847d0ce94fee7fcf2365675868e82450891244b04902d730d6b0e0dfb5c29df1cd4b5d8ad6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a7A9E.bat
            Filesize

            620B

            MD5

            aa64029287f9b2a565d6cd0681a773a6

            SHA1

            2062e95b6654540e81abb2ba8950328edc583e07

            SHA256

            0f4a3885fecb2ee9020c22005ebee511e300ba6bb71617eda543f3997e284deb

            SHA512

            267a80b7fbbf762d33c46d26a1f8201cc116789c4a67e9c7e2710ea1df1c937ae8a6086485fcaff377728dfc9efb8608fb745df5e99da1b1eb8edba77f11c969

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e877518128cf87d1ba0331e86fae93c0_NeikiAnalytics.exe.exe
            Filesize

            33KB

            MD5

            f8b1348f68d380115f37de85ca68d3b4

            SHA1

            1e2977c49dd8d52d1db3c1f14e32205c7efacfa6

            SHA256

            9cbd9a06aba24333d873174149ca30fe5c64c767586cec1a3c833eb6880c53ee

            SHA512

            0de9ddb66b52baa31a57689f781676839ca45a7d5e9cde9f57e96aa5c2c1118187dd1948e719b0c0fcbbe01da5c3ecdfc7caa6f32ba2dad940a4b2db668a384a

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            40KB

            MD5

            631ddb32cedc061b61ddc87286d637de

            SHA1

            4b316a4dcd624e1d66f520900800d3944c805fdf

            SHA256

            c75da8fb42e45cd655454114f62c3b039a20cf4ffa58658e7d7eebb69e50e3ea

            SHA512

            a4ef8392c6d75a3fd31f0cb1aff66ea12a37fecf131547d78607331eca6406348c1964318f5baa1a20289fb5930ece7ab64b7c490a002ef8ef7c16b2a9913a77

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\_desktop.ini
            Filesize

            8B

            MD5

            d970a2bfcaa076939c06270d1a48dec8

            SHA1

            7a558f4d64c3e98bcfd2af83f28e6fbd207a39e1

            SHA256

            bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44

            SHA512

            ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2

            Download Submit

          • memory/2968-11-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2968-18-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2968-5220-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/2968-8706-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3544-0-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3544-9-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

            Download