Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

5770ca4514...cs.exe

windows7-x64

7

5770ca4514...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    5770ca451449ba364e75ebfa2eee9590

  • SHA1

    480795985bdd4eb071b0f637bf13e3a7a1aaad18

  • SHA256

    3d7d08cb3283723eeeb9f454285a82484bb9f4cdeea07caa31fb5d255a14446b

  • SHA512

    44334236f00dca8db345f9946fc3154ee0b13746140782f71c050b46dae97fb6a15b8eb0e9dda52374e305815a66c31ac10eebe11847b4fad5a6ebd33d046155

  • SSDEEP

    384:sL7li/2zfq2DcEQvdQcJKLTp/NK9xa2pd:qjMCQ9cSd

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pbwcf4mz\pbwcf4mz.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9DBAB3664F3F40E493875BABD6A2DAFB.TMP"
        3⤵
          PID:2856
      • C:\Users\Admin\AppData\Local\Temp\tmp1BAC.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1BAC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5770ca451449ba364e75ebfa2eee9590_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      83e08bdbb9c236adfa11565862dd321c

      SHA1

      9c99a106a62dd15163323ba1dacf7291490df63a

      SHA256

      aa673ddbadbae116dd14185ab91d85f83e1abc2e92952840dd7e3a20a0b9332e

      SHA512

      701b6b06071a9e72e246997a4a91473b57bca8128cca740e499af8533e97e3c15d90037a9d5c8d3f5cedc0463cc59ee132dc1a4c51729e31edf99616fdc8311a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES1D9E.tmp
      Filesize

      1KB

      MD5

      1315b6a8b82aa187627b749854199398

      SHA1

      466c276ca42e677575208f61835ad00714f6a4d2

      SHA256

      038516141226de65179da540c4fd2c858c6623121a17f6bfdd78eff0b97bd501

      SHA512

      2c910567d798032b5f1ad014cf86212dd803d2e5a85cd682ef889dcae56321412eb1a234241fa8ad5822e771a5f88f414a2cf949b216dd0dc2b362055c46ad3c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pbwcf4mz\pbwcf4mz.0.vb
      Filesize

      2KB

      MD5

      3adbfc381b68d59e8f4b3d2235477177

      SHA1

      92f097fb60a90b74bce2904b3d7d17e2ddade609

      SHA256

      b9fd3edeb43d2c1ac386ab7877cec212424b748dc8dfa8f34beb4aa1421f0f35

      SHA512

      978e158ec3faeac9f01ad3f5a0d90bba651617f91d74b933998ee9376da4587dfcf8dd2085475a6c8dc8a51e90d6fb81d6b49c4633fb2d4300237f5843467081

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pbwcf4mz\pbwcf4mz.cmdline
      Filesize

      273B

      MD5

      b02dfb3a3ffd460273cff72cf665d3d5

      SHA1

      a99ab52e6fdc0fea7e92ab7e65e2e958834e58f9

      SHA256

      a355ab5b4443739b59375458d4e8f9c5e0d823fba93ad6a1e2860d881f40f5e3

      SHA512

      5ca9fdb45f0c10d03951781734fbe28fc34bab97f82520148ec360b28ad7f8636ce6720d57c268a0c9ee266932444b34ab6eb8f4ade2a4a81ab43fd2e9084b69

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1BAC.tmp.exe
      Filesize

      12KB

      MD5

      d69bc5b2793f86ce1a5da2714d0fc9c6

      SHA1

      090afb531783793031da7b794a43e40e7ebfc6af

      SHA256

      39f4587623fe5ee0ecf16992c3d4134f674c488ae7d179339ec80948f8ba7a87

      SHA512

      0a2bfdaf621167633a02997ca6782aa0abe74a3886a3640aeb83c4ec4f9d534c06047ad13bc7f01fde11c82209fdfd646833bf859c332ecc7c8634b7660af799

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc9DBAB3664F3F40E493875BABD6A2DAFB.TMP
      Filesize

      1KB

      MD5

      1df848d4ccf8a999b4610dac720fe14c

      SHA1

      62f093e2c19ed6db39a134ef06a158bc580c2ea2

      SHA256

      cbea8a2038bcfd517dd4a31065b0cbab1129addf46921cd8ae52bc0dc740f0b1

      SHA512

      6c403418332d0d058afa310f885a4f6ec82c7e03ae9cc723ddb16e5a03cc2eb207227933c0b50e346ac3e3c1b00d0bbf8b9d6c09c049b2f76eec92417a3e297d

      Download Submit

    • memory/1920-0-0x00000000742FE000-0x00000000742FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1920-1-0x0000000000C30000-0x0000000000C3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1920-7-0x00000000742F0000-0x00000000749DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1920-24-0x00000000742F0000-0x00000000749DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2632-23-0x0000000000130000-0x000000000013A000-memory.dmp

      Filesize

      40KB

      Download