Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 11:54
Static task
static1
Behavioral task
behavioral1
Sample
d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe
-
Size
12KB
-
MD5
d84003982d335bb3fa71fe7933929600
-
SHA1
f3909e1bf91266169c87013d738c3c8d9bce8c5b
-
SHA256
67480d640ca38edac6b75e61ec981055fbd0504fb1f96927c4266d28eb445c90
-
SHA512
de237dc796f988c85d5a6ab3c20840900456fd78784dc9bc76af4a0346b7c112cb5199b5edfbe6f717bd9f2888138de516edb7cef66baf8f2e26d8e27cf5ba9d
-
SSDEEP
384:aL7li/2zKq2DcEQvdhcJKLTp/NK9xaZM:EaM/Q9cZM
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3052 tmp31FA.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3052 tmp31FA.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1736 wrote to memory of 1760 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe 28 PID 1736 wrote to memory of 1760 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe 28 PID 1736 wrote to memory of 1760 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe 28 PID 1736 wrote to memory of 1760 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe 28 PID 1760 wrote to memory of 2712 1760 vbc.exe 30 PID 1760 wrote to memory of 2712 1760 vbc.exe 30 PID 1760 wrote to memory of 2712 1760 vbc.exe 30 PID 1760 wrote to memory of 2712 1760 vbc.exe 30 PID 1736 wrote to memory of 3052 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe 31 PID 1736 wrote to memory of 3052 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe 31 PID 1736 wrote to memory of 3052 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe 31 PID 1736 wrote to memory of 3052 1736 d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\diwfgmzo\diwfgmzo.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8011E355A34FCCBF2420272E59C62F.TMP"3⤵PID:2712
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d84003982d335bb3fa71fe7933929600_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:3052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51d3f11c643def34e7d4c8e4663f10077
SHA1e565753e2edf2ddfbb5371f27c5a71be80b2f992
SHA25642f660f95cfdc0ce6a35bea6407b05c61d1566b7a91018333bd80e662317a0c4
SHA512bfc2d75da3bd7c4c23c89fa7787cc3242b6e1747c06e76bca0e7c93c1acf676e9b734ea8ac3f7e73daf5addbff2b533415b013bf6b58256151a171c54a1fccd4
-
Filesize
1KB
MD5ac686837ea79d6ac8da76721ffc48121
SHA1bf90e59d5282ffdd5d367c6ee5c89ce3de320c04
SHA2563af2c4af9603d1147d6c439cc780caac243fd70f68b83a6243aec97308d925eb
SHA51288a9d703d92ad9b69104e06b875bcf27c609fec474e10e9cc80305bb8eda5511782f83b6e7244ed300d7fc274c4d2804464f237eeb33bf0f7b77f0a6b84e4e9c
-
Filesize
2KB
MD5e8eb8fce0625d85d1174e05aa91fbafa
SHA166bc46142bba3342397aec47404823643e290e31
SHA256998f5baa833b49f0c0dc4f3cb7b5cfac4266f8068e2aab9328d56c74a9243cec
SHA512c491e51ef04f6fde989254901fec12b9029529f0731cd74791488c1628f1c05a035cfa6324200e35625b1db3b9270b91ad4d9417ffcef32992f2046eb10d9816
-
Filesize
273B
MD59557dbc0b67a6b81fb10a2af578ec457
SHA13fc24319b1262dd910f17c15e555e6ee5387fafd
SHA2564a4ccd64d1a1421bf0112c2fe582681c15d5d0c0e9b8934429e40788a2de3ec9
SHA5123689d8549376b9836a1fc9cbfa85a6f5470c5344e8438c66e7ec98cdc679d6f84e58e9093be6af6812507f7dc55d7649e173525fa5197a0191f128fa3d004290
-
Filesize
12KB
MD5a24efd64d7e6543f2d7e1aa1afedd029
SHA1d7ec32d4612b569fa6e733e9270050fd289db268
SHA256ac8a81fcb05ad14fd8b33e35aa9aa44d877a0eb9b60ccdbc4a60417e6bd29360
SHA5129a981349264fb7ba9f974656104ad5d14f09dd8ee0f4829b555fec3bab2bb6df65fe54fc533cf3ef55ee57101b677428f477f49476ad3783f40e1b11362263ca
-
Filesize
1KB
MD51aeaa13d14e7add5f97a7e287374fd84
SHA1cae8bfcab890aad255d68640e62650fb31c2571e
SHA25622ae0d7239857811edd7d112fac636f3d1dcb04c291994f1eafeadb114e30538
SHA5122038dd521c0018b395c7796c7a2a5c3217cbdd5e9c8b0692dbb2014fa6fa690331eabd272a5f4f4aed3991336198b09325e34015c558c0433c4853e49a09173d