Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

d84003982d...cs.exe

windows7-x64

7

d84003982d...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    d84003982d335bb3fa71fe7933929600

  • SHA1

    f3909e1bf91266169c87013d738c3c8d9bce8c5b

  • SHA256

    67480d640ca38edac6b75e61ec981055fbd0504fb1f96927c4266d28eb445c90

  • SHA512

    de237dc796f988c85d5a6ab3c20840900456fd78784dc9bc76af4a0346b7c112cb5199b5edfbe6f717bd9f2888138de516edb7cef66baf8f2e26d8e27cf5ba9d

  • SSDEEP

    384:aL7li/2zKq2DcEQvdhcJKLTp/NK9xaZM:EaM/Q9cZM

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\diwfgmzo\diwfgmzo.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8011E355A34FCCBF2420272E59C62F.TMP"
        3⤵
          PID:2712
      • C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:3052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      1d3f11c643def34e7d4c8e4663f10077

      SHA1

      e565753e2edf2ddfbb5371f27c5a71be80b2f992

      SHA256

      42f660f95cfdc0ce6a35bea6407b05c61d1566b7a91018333bd80e662317a0c4

      SHA512

      bfc2d75da3bd7c4c23c89fa7787cc3242b6e1747c06e76bca0e7c93c1acf676e9b734ea8ac3f7e73daf5addbff2b533415b013bf6b58256151a171c54a1fccd4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES33AE.tmp
      Filesize

      1KB

      MD5

      ac686837ea79d6ac8da76721ffc48121

      SHA1

      bf90e59d5282ffdd5d367c6ee5c89ce3de320c04

      SHA256

      3af2c4af9603d1147d6c439cc780caac243fd70f68b83a6243aec97308d925eb

      SHA512

      88a9d703d92ad9b69104e06b875bcf27c609fec474e10e9cc80305bb8eda5511782f83b6e7244ed300d7fc274c4d2804464f237eeb33bf0f7b77f0a6b84e4e9c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\diwfgmzo\diwfgmzo.0.vb
      Filesize

      2KB

      MD5

      e8eb8fce0625d85d1174e05aa91fbafa

      SHA1

      66bc46142bba3342397aec47404823643e290e31

      SHA256

      998f5baa833b49f0c0dc4f3cb7b5cfac4266f8068e2aab9328d56c74a9243cec

      SHA512

      c491e51ef04f6fde989254901fec12b9029529f0731cd74791488c1628f1c05a035cfa6324200e35625b1db3b9270b91ad4d9417ffcef32992f2046eb10d9816

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\diwfgmzo\diwfgmzo.cmdline
      Filesize

      273B

      MD5

      9557dbc0b67a6b81fb10a2af578ec457

      SHA1

      3fc24319b1262dd910f17c15e555e6ee5387fafd

      SHA256

      4a4ccd64d1a1421bf0112c2fe582681c15d5d0c0e9b8934429e40788a2de3ec9

      SHA512

      3689d8549376b9836a1fc9cbfa85a6f5470c5344e8438c66e7ec98cdc679d6f84e58e9093be6af6812507f7dc55d7649e173525fa5197a0191f128fa3d004290

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe
      Filesize

      12KB

      MD5

      a24efd64d7e6543f2d7e1aa1afedd029

      SHA1

      d7ec32d4612b569fa6e733e9270050fd289db268

      SHA256

      ac8a81fcb05ad14fd8b33e35aa9aa44d877a0eb9b60ccdbc4a60417e6bd29360

      SHA512

      9a981349264fb7ba9f974656104ad5d14f09dd8ee0f4829b555fec3bab2bb6df65fe54fc533cf3ef55ee57101b677428f477f49476ad3783f40e1b11362263ca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcB8011E355A34FCCBF2420272E59C62F.TMP
      Filesize

      1KB

      MD5

      1aeaa13d14e7add5f97a7e287374fd84

      SHA1

      cae8bfcab890aad255d68640e62650fb31c2571e

      SHA256

      22ae0d7239857811edd7d112fac636f3d1dcb04c291994f1eafeadb114e30538

      SHA512

      2038dd521c0018b395c7796c7a2a5c3217cbdd5e9c8b0692dbb2014fa6fa690331eabd272a5f4f4aed3991336198b09325e34015c558c0433c4853e49a09173d

      Download Submit

    • memory/1736-0-0x000000007442E000-0x000000007442F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1736-1-0x0000000001140000-0x000000000114A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1736-7-0x0000000074420000-0x0000000074B0E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1736-23-0x0000000074420000-0x0000000074B0E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3052-24-0x00000000008A0000-0x00000000008AA000-memory.dmp

      Filesize

      40KB

      Download