Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0abaf7fd66...cs.exe

windows7-x64

7

0abaf7fd66...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    0abaf7fd668ec7b2ba52cd03decc2ac0

  • SHA1

    e3aedc7dbf93de4a070e945530324298fa44febe

  • SHA256

    c6be66b6789888d1911e750c17f00307c83a5c951e90c172c0657a6d5283e2ac

  • SHA512

    57055f0f4011fca910b3fb93fc59c1fc6b1ff55d9b0f22e014a8dd5dafde0c685955bab4ada73cfef71877f0ac711cd5fb0450024364c3b8c0495dec3ae26482

  • SSDEEP

    384:jL7li/2zNq2DcEQvdhcJKLTp/NK9xaM7:ndM/Q9cM7

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gywacyc1\gywacyc1.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES891D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD414AA1FF4C4D0FBD7D4C565030C134.TMP"
        3⤵
          PID:2620
      • C:\Users\Admin\AppData\Local\Temp\tmp8528.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp8528.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0abaf7fd668ec7b2ba52cd03decc2ac0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2480

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      a97063714b84737fc77f6fce4ad4d3f7

      SHA1

      583584fdc0f722e9fcc26fed46ba75bb0fea1a74

      SHA256

      34df7c97d889d94d665cff8f1c4cae29aa3f2b9c19aca980a6aa06ce8fe5e182

      SHA512

      00581e4726f11a14f3a403060de2572cc3a75b03dd62d1a249d104b918368300026fb42b0d2c4b217c2199209002d14ba58fa493973876bb21ee9a1eb4a6084e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES891D.tmp
      Filesize

      1KB

      MD5

      621174c4180f8cac7405e74cecaba1f8

      SHA1

      ed24d13a935bf3b9065357018e89af1c534e0f55

      SHA256

      d6c98710a72225ad79e2ba6a7288949e9ed5da06cad5ee70f94bd5739c033a51

      SHA512

      a0e613b31d5472bae905fdeb724a744a8528f6144c66303e9f86a7278f0099e86bdd1534d49b9ba2a6b14aa9d751fcd6e60a4b728202f8009fccd908f085bafe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gywacyc1\gywacyc1.0.vb
      Filesize

      2KB

      MD5

      8bdf955aa9328da5f8ee11272e7887eb

      SHA1

      71b8d962763de28244f72d83ceb576405a2fc4c1

      SHA256

      c73568bce98bdf7c0076bd05f7e0d09497d482d3260ea862b49d2d29904d5971

      SHA512

      18aa11eff803e8df84ee08aeba70524d084e07f1276beee96125c20fe3e2127c8cfb5336e6f9ddb04426c39c0d72a984e7d377a32465828a0d9ee3eaa0e16d22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gywacyc1\gywacyc1.cmdline
      Filesize

      273B

      MD5

      b63f9a205debed1ec7b281a83167c454

      SHA1

      5015c140b4d986eaab28fe66dce91973e3b2a420

      SHA256

      95922eb3e13619ce5bc0daa13520b5b24254f683feeec531d3d8a31e12cec440

      SHA512

      56ff53d0b5cfaef53c87ee8a879c7e72a4585070c546f524ba716d49c31269a4bdbe8149fe2e7f64df31130eed29628ba67ad724e782b107f7d4e8e6af88506f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp8528.tmp.exe
      Filesize

      12KB

      MD5

      ccd377fc71cac15173ce29b69f62464e

      SHA1

      2b71afafbb24fcd589102e0a60b3ef9bb86f6a1d

      SHA256

      76b398b30113b10803e92fa4cf47528cba484abff957344f5327ad9161a57e77

      SHA512

      1a240a8caa25814c86a379f8d0746964c8d85f298904e0823034b20cb9f94ee40065417fe87cb3ebbeaf415a8a43790184923d1b6605c3fd97412db3c10cc82f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcBD414AA1FF4C4D0FBD7D4C565030C134.TMP
      Filesize

      1KB

      MD5

      5996a048cfc2ce74622192e77b284f45

      SHA1

      a9343fb6e2cdf07c1f014aac0d34bbca0fa3f407

      SHA256

      30d6dc982e40113e9a8589ca1f2d231c74a83b43703aa4f96ef0af9fb12d978b

      SHA512

      755c4b581416a6cf41dbeb02a22610cb2617c1fd9f97e4869597b6bbb457696e40e15de3bb73e3ff73c0a71f6695a9fe39b782eb4f72c235fd5cec607a0e2737

      Download Submit

    • memory/1312-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1312-1-0x0000000000D00000-0x0000000000D0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1312-7-0x0000000074B20000-0x000000007520E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1312-24-0x0000000074B20000-0x000000007520E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2480-23-0x0000000000350000-0x000000000035A000-memory.dmp

      Filesize

      40KB

      Download