Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

10e8917546...cs.exe

windows7-x64

7

10e8917546...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    10e8917546bc43cd789a3135d5558830

  • SHA1

    f45838965abc8b031970380cfe22361d0e796b50

  • SHA256

    7cd3647b0e93352d2cedd0103a16ef794b5618f20df6387eeabc8a013bdeb9a9

  • SHA512

    4282081c1bfb21bdb13b11bde62a5bfde9d9a8af86e3d84af3ef03ff8cae26e903f710f7a3057ed6cf67fc45d1edff484ed7bfb775b4d3df3333abfbd8436d52

  • SSDEEP

    384:wL7li/2zDq2DcEQvdhcJKLTp/NK9xa+/:u/M/Q9c+/

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pyr10qzs\pyr10qzs.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7423CF4F2D5C4491B8BFF7828B144B7E.TMP"
        3⤵
          PID:2576
      • C:\Users\Admin\AppData\Local\Temp\tmp2711.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp2711.tmp.exe" C:\Users\Admin\AppData\Local\Temp\10e8917546bc43cd789a3135d5558830_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      b30721bf350120da6abb907ecf5c4f8d

      SHA1

      2f1e4df02b055b2243422e3e8ee8cc7afbfd70a0

      SHA256

      a8d37aa41b633f8694e6bb74dd5cef9c6da95aa530017ddb02388946bceea050

      SHA512

      0426a14959b5e0bd1be90f3cf4f9aed8dcfa1b785dc7a69462d6e6325613b9da81051d43b2596f7408b1fd46e04154cd3152d2d726904c31de8c73d74b7eb6c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES28B6.tmp
      Filesize

      1KB

      MD5

      21bba2b25a9606787818314415001026

      SHA1

      cde7968b8f41cc960a6458e441103b821d7c8499

      SHA256

      7893a0df6f12849117ecfdc75146fb1b74aefadd526fdaae566e6ee4a3b904e3

      SHA512

      85c5ae6031ec183b05097b6e6dca307f1d4e75f80282dc8475a190a480569e7e75a401d39dc2ed29df233618b91aa06c6e0f57a4fb4673dd482de6e458c38d3c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pyr10qzs\pyr10qzs.0.vb
      Filesize

      2KB

      MD5

      85b1d5fe383e6b56195cf2ecbc313fc2

      SHA1

      8080e430b593d6ad12ce15e67bcbb3f1188dbc69

      SHA256

      b8fbe58f0e3318a0e380f2f861ce0f4cc0659f0c711e56720f4637bebba2088b

      SHA512

      4fc026071536c616105035b8c1d74fdf2743d77b535d0f3429f42b2d83fb0c7bce30c9e9ad100c36e62f37db94016f49a40736ebd9e47037701250c6c8359fc2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pyr10qzs\pyr10qzs.cmdline
      Filesize

      273B

      MD5

      1c5d19956933cc3127188c3723a91378

      SHA1

      e41a98f8cdf1bba29031aa706da85a83e96eb581

      SHA256

      9600aa5b961da4c050334e2d09d9aefe24205c1b24a2d251288ebd7cab9cda27

      SHA512

      34a67aef15516d8310c7c7887b045879a414dd16a33b64b468aacfdfc292689889e60c76587056950e5c66266a678ea3f1cce79c6db2e5707ad921782726fa13

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2711.tmp.exe
      Filesize

      12KB

      MD5

      0f23a4dbf80b40b0537e20aab3cf5251

      SHA1

      4ef9c87f22de5e8d4d89ce98ac5c9823295267ca

      SHA256

      3aba75afb7021d79ea713860c8cc95a5f832244d4d49bed57cae2cf049bc6d38

      SHA512

      a8942a29d7ef4a4200bc6e8527028c455ef335a4f650e015459e3c403621616cbb5043ada96bda9c018e186e4aae7f11c3d2104378b755f0ea3fa793443aaa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc7423CF4F2D5C4491B8BFF7828B144B7E.TMP
      Filesize

      1KB

      MD5

      6c32ae789f4c2ff6dd0b6e5430ef8fa0

      SHA1

      460a5523d5138369f1b147fd33c9186dbaf669c4

      SHA256

      b663cf080ccdbc823c1b35c2a1fa05833e335c38f968b6563d28d51cdfe82838

      SHA512

      c60cf8c2e48b28c5892a8f6be3c942ad058a0d2698308cb248f37ed2d3a379bd14a4d0085e1c51f768429242b57af089292c096f4c2e8dcb6bed0b438b699511

      Download Submit

    • memory/1704-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1704-1-0x0000000001170000-0x000000000117A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1704-7-0x0000000073F50000-0x000000007463E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1704-24-0x0000000073F50000-0x000000007463E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2652-23-0x0000000000E40000-0x0000000000E4A000-memory.dmp

      Filesize

      40KB

      Download