Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1acac53a42...cs.exe

windows7-x64

7

1acac53a42...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    1acac53a42b94d3fb5b0cf07ac8c3720

  • SHA1

    3ca37bf4f0e186e3bbc7cb463db3a2b549db2b16

  • SHA256

    2a8e1a8b9d75e6f2e9c355ae6f6c3009a8ca6f9f1f5071a042d3e07a45c28a45

  • SHA512

    a9be5245e3c37db6cdda93c2b66c833998d7687f894f9df4a147d42dc61296073c6f641e28eb14fe8fa93ec164c698f69a3a8878f4eb68f5af90b138815a4d0c

  • SSDEEP

    384:LL7li/2zUq2DcEQvdhcJKLTp/NK9xazH5:fIM/Q9czH5

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b1p3f4qi\b1p3f4qi.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83BBD4C577F2442B92D13414A667CD9.TMP"
        3⤵
          PID:2800
      • C:\Users\Admin\AppData\Local\Temp\tmpB19.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpB19.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1acac53a42b94d3fb5b0cf07ac8c3720_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      f2f69900c391c17465907f4b9769f5a6

      SHA1

      249a6ada2050b72b079164066f7aa3c995736007

      SHA256

      b5f8ab79b088c25504ceba07a08c23e5de42c23fa7b8037b8a4b823d2fd0111e

      SHA512

      8d6d841edc70d7b8ba33548eecb65f67419d039d12af251354dcff353300823a552b7dc5344a1c6d10e88fe5052d2165bd520769ddc3586baaf312a34de08278

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESC6F.tmp
      Filesize

      1KB

      MD5

      694465999578cd4f96c7a3ebb263a31a

      SHA1

      1fa2f4a6ea391c3f1953e691a5aba7814fb6eb5a

      SHA256

      7ac7089fbd10983a731c20a328be9826d65af4a338ff8de5968069104cb4a582

      SHA512

      4f96bdb976f7defa560c50900aae5d43893ee91c369cb5ddbca85f52c5999f758b1c0c36de7c9e965372a00623c9b62387e6b7100fd0b1cf73049242970f747f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\b1p3f4qi\b1p3f4qi.0.vb
      Filesize

      2KB

      MD5

      ba43cf1843d7f727e40538bfc164ab42

      SHA1

      de78b2535e944b4cc4123ff3eb86f711f81b04b8

      SHA256

      f587225f4139606c669368cbe5910963a8663572500a4289d1fdfd6ee5260f35

      SHA512

      1a6c185ff933d06d2121c4900003dc5933d01ea4e9441aea78b8c645ffeb9164265962008217ce19963f93811abc0ad0060dd526e39e0bd6fe1b449d9db1c4df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\b1p3f4qi\b1p3f4qi.cmdline
      Filesize

      272B

      MD5

      6cec1ea55aaf2f5913d9cc637792d859

      SHA1

      b73de5c7edaf25be640e477ad5b69b168b236f13

      SHA256

      739ff764089a859ad2e06d6a03c3555047ba63a885c4fcd97574a5f8d2a7b648

      SHA512

      9c64ca3aded93b73dadea59d8a297033f95aa09244005efa9c7f8186586b40f000271a0152149cdebb9411e81bc4df3ea13cae68b41dff6ff3e034145db96981

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpB19.tmp.exe
      Filesize

      12KB

      MD5

      d60ef8113fd14e118efafd246d1ff4c4

      SHA1

      2a582974f50dd7bc37bf7345d0b0e663e4c2069c

      SHA256

      79e9ca517f456cec17df964f9116e18f38ca69ed36d7dd4f5582cdd9e21b3326

      SHA512

      754175ff54e2e1aac82333e3eb22824cc3ecf7e29abce4761299690b5e09a78e987bead5add6b9b7857afa47eea2d39f76549d29834604acd2191ce5d07966b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc83BBD4C577F2442B92D13414A667CD9.TMP
      Filesize

      1KB

      MD5

      a2b9862e1dee9f42de6edd1feb356382

      SHA1

      598e2c187c5153e9c01ac27c48f0142283ac82db

      SHA256

      6998ad12847fb900c16ae7f0eba40bba66e5918e4177845360fad31e1266fb7d

      SHA512

      b60b0a31bdb1bebaf5b0792bda3c3ee13d2c47b9040f4a960b050e204bed3519a995be35fe36521e08bf75b7f0e7023e03300b8581aabe49b8af2a6e4c6c4793

      Download Submit

    • memory/1372-0-0x000000007481E000-0x000000007481F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1372-1-0x0000000000350000-0x000000000035A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1372-7-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1372-24-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2560-23-0x00000000010A0000-0x00000000010AA000-memory.dmp

      Filesize

      40KB

      Download