Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

500d88c959...cs.exe

windows7-x64

7

500d88c959...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    500d88c959a3e5a30764bf3f8728d3c0

  • SHA1

    775679d39f79daa12d6d77c60074d30c1438a6de

  • SHA256

    25ea33f3e06d0e4eed64cef88daa440fa05e7a3121ab8c86c86a3b20ae1e5cf8

  • SHA512

    a19d050649fde2c06aec1bcb1d8b0e6210b09cbf29fc982b573b02bccca8d3dd00bae148a83595c2a3ea4259ada50e2ebdb23d525f9e8aac5703aa680336653a

  • SSDEEP

    384:qL7li/2zoq2DcEQvdhcJKLTp/NK9xamz:0UM/Q9cmz

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pjvshryd\pjvshryd.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3E875B248204313B5C269A36AA1CDE0.TMP"
        3⤵
          PID:2412
      • C:\Users\Admin\AppData\Local\Temp\tmp2933.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp2933.tmp.exe" C:\Users\Admin\AppData\Local\Temp\500d88c959a3e5a30764bf3f8728d3c0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      8550e17ee74a0a206b6e045e3e5d9f88

      SHA1

      58d9f7c2fa1f9f5823ee6965f3ac80f7d38e18d3

      SHA256

      a41eabb95dc025443fc12bd280a0bbc1bbbd997ec4abddfe8ba811056a902475

      SHA512

      b327043332b97e88dd6a94321dd957b05a966b918e51cea26df9e7380d8d250aaa8ce544cc336db1f1c5d8f76fc2082fc41041aab90af722ab358771f2f6ce0f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES2B45.tmp
      Filesize

      1KB

      MD5

      1680efc6251e8173d536d346def4d89f

      SHA1

      adc261705d1b64757b01b02b565f69dbc178898f

      SHA256

      1eb3f598bf356cbeb8c95f64bb77d41deac63338aa78f94c542d284e24a6258c

      SHA512

      3f5540cc7ab4f5dfac9e042d92020bb687eb4eaa4d1748825e3b8c10f6a351a770528f2d3dd93be67310572e505b378cce3d08bf538e0db4afc664ef902c1c42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pjvshryd\pjvshryd.0.vb
      Filesize

      2KB

      MD5

      b9cf7e154f61f49c10cfefe8ea8dd66c

      SHA1

      59c15bdac8e136e1e87df4d5e8f71722ddc84d26

      SHA256

      4c806a99fd0c315a4c9d924e292076ab5af0884d3625f55fe6f0d1dd95ea0ce1

      SHA512

      76406e321e8a1e832a8fc43b00a0b2c398b45f16eba0f7f7a3688b709e58a655eb3f2c0a96f627ef17f291f5d2e33c2016ccef8f640c846803d4971138f5ebfe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pjvshryd\pjvshryd.cmdline
      Filesize

      273B

      MD5

      6d60704548d57c7d4ec564ee8bde2aec

      SHA1

      e4d874cce15b1e1bcdb24622ad6c5873e898ee7f

      SHA256

      7650e62ab34b8fae8f5dadafc94afe9d0fd787b2f7ba4cdc6ef71de5f2d133ac

      SHA512

      bae734bcdef129ad34af49da0341e73726f063694d2912d1d9367190cd2c4adc34a86752ebc112d48c2d9b3bbd44e0824e9298221f4e6f689852e7c245b99e2e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2933.tmp.exe
      Filesize

      12KB

      MD5

      ab43775ecc3879966ec5f47af172f17b

      SHA1

      aa01e0db9e646916ab15f1b47bbef0677f23205b

      SHA256

      9cd31611d104e377f6dcc4ce7f5e006fa6d0a7d32e076f8fb7099a15c468db47

      SHA512

      5c7669e9166ab1fa58d45619c46e5c70240bd843e0c2cf4bb4f5fe617da47d9e30e7e87b3b4805880e0557b7d6fae3982d4f8ed78d51386f03ad49c0b8596d1d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcE3E875B248204313B5C269A36AA1CDE0.TMP
      Filesize

      1KB

      MD5

      293f743120c658790cd1030227397494

      SHA1

      11d82c101b4dd746d2bf685090dbfcba4f727cc5

      SHA256

      a24d0dcc18be92d887072c717b0a18178d705ecca4cfc09263f9e55d5a752b2a

      SHA512

      dff77fdffefdeb706bb74bc0c790f40b734b12d2c6857ad311443304bb633d0b72ae2678ba7e3b89eb4dac8f4a214c31ca2c1ae4b4987dab467a38277aa01ce1

      Download Submit

    • memory/2444-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2444-1-0x00000000003E0000-0x00000000003EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2444-7-0x0000000073EB0000-0x000000007459E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2444-24-0x0000000073EB0000-0x000000007459E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2796-23-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

      Filesize

      40KB

      Download