Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4a2b844cc3...cs.exe

windows7-x64

7

4a2b844cc3...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2024, 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    4a2b844cc3569863df29389496680c10

  • SHA1

    485d6c18331112391d7ae64e6d35728fb10c3331

  • SHA256

    ac78ae6859e76adecb9a7d3832fcd7d78ecda878e47c1d747954bc5f17bf74f8

  • SHA512

    5a5329a4a19ec550b42d34b5581071a85b30c42890decfd1da67f92f70fc16f529b2d8b98edde470968924eb8f8706b8c802b7afa2f5b89c6611001cfb3c9cf1

  • SSDEEP

    384:FL7li/2ztq2DcEQvdhcJKLTp/NK9xado:FtM/Q9cdo

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u5tntqag\u5tntqag.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc719D84E710194FA8BBA7F2BFF131D4B5.TMP"
        3⤵
          PID:2632
      • C:\Users\Admin\AppData\Local\Temp\tmp1585.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1585.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a2b844cc3569863df29389496680c10_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      65875ac58137a78d260074af9df73cad

      SHA1

      390818698fbc83423d49c75ab835c4178dbad349

      SHA256

      766e8009b0396e45f4868b3925db9a76b5d6d3af6240a756b1a37fbaf8030917

      SHA512

      221b6ced068060094ba7a32e85a57a8cc4afed73731278308c0020115eb221aedf6343e8f66b7c6aac2128530ed9c7d32a2415fbb97db55cdd4fb16315588707

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES16DB.tmp
      Filesize

      1KB

      MD5

      addc9b34dc06d5d3f956dc88895e87ab

      SHA1

      6c79e9eb3e7c877c89c98a90158114247cf61bc2

      SHA256

      e40d96b6d8f306414ddbcec9e21076ed05eea1f229b6a18c76aac9c7b88ff9db

      SHA512

      3ebb118073e5468aca4318914913c78918bd718f82d571fc2562cf132f403df8a7a3ef3185a4727c6c6d572ee590ad9b1787108d8f688959613affb6311f5c89

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1585.tmp.exe
      Filesize

      12KB

      MD5

      2b11e3457c7be1e0fdb16a27e989b62d

      SHA1

      72692808e394bb7b1f2cf4d39a4b28a776a0be25

      SHA256

      92a76bbc9d35aeea80b7716ea7240dcf69705ea2ff5b7f388909229b593d4fd9

      SHA512

      0b1400f0c464d8685c5ebf59182e8241ca80656dbfcf40b87f2964073ec8eb1ab0f99a81bd3829e06035a2532244b6e184bef5bc837d4a76c2c3f75e07cc178f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\u5tntqag\u5tntqag.0.vb
      Filesize

      2KB

      MD5

      b92992a1a530e25c5fd72a251db3328e

      SHA1

      a6f1d10a62b8ae5579f7dfef021015eb14c3880d

      SHA256

      18a109f9ace3e84069c477e117215d6c2739bfc112883bbf9a1ea3a867efbd60

      SHA512

      d55da7092dec56ee3975ae44f976e3f3559ccd2ed713956171a59fb76dd9c450c07e39e239904a177fa8d9c5e12dfde25ea8c9681e7e00c08c3ffcb1833facab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\u5tntqag\u5tntqag.cmdline
      Filesize

      273B

      MD5

      4239cc97b52fde8790849f89fd2ac054

      SHA1

      3d698a621b4d75a577eca8f358c5f3e08ea99646

      SHA256

      e2c144b2869ab03c9609e9e901129baccf62caa620ef47e25f92e63f61198f2e

      SHA512

      015c1d4374ea06907cb608044f0218df00e11d45ade02e9919013237b7580cd0bcb2668f2af2af23d4f964f0126509c2a0b7984d115c2ff047a4b638ef2116d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc719D84E710194FA8BBA7F2BFF131D4B5.TMP
      Filesize

      1KB

      MD5

      891259e080d272cbbfa6f6b7e7962b21

      SHA1

      01c7a90ffb9081d3dbbd3d61c183fc43b8e58347

      SHA256

      088778fffc4fa5e37afbb101980f14ea606514fdf2c4639ebb550c883db0232e

      SHA512

      1dc973cc97baa3046a585465724d0027f257081fd69c80f5510370e2c99775c2c890377dbb3b461959054ab227d8da942fde1ef11e5e18c2d2979d548106ec25

      Download Submit

    • memory/2064-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2064-1-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2064-7-0x0000000074BD0000-0x00000000752BE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2064-24-0x0000000074BD0000-0x00000000752BE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2556-23-0x00000000011C0000-0x00000000011CA000-memory.dmp

      Filesize

      40KB

      Download