Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

64e2baf26e...cs.exe

windows7-x64

7

64e2baf26e...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64e2baf26e17b75f52f7fe63a01e8140_NeikiAnalytics.exe

  • Size

    694KB

  • MD5

    64e2baf26e17b75f52f7fe63a01e8140

  • SHA1

    111c420078f607a9d961a7b134d3217179c6331c

  • SHA256

    e54a83e1f7af39a68944b2c2b800c0b6d0efb3747a105c75d903e14df3c6fe79

  • SHA512

    2941e3bad66d8d46a6fbc4e1822ae30fe1d8efc83fb9917a0fb32dc162be2cbe378fba7e4c4b465f3c3b8128790d46121c0e5d66fbac405913bceecf41b3ce29

  • SSDEEP

    12288:ndQEshonKOU8B33ZxvqSEcJLCcbg7ZXMxuRJQ81jlDbfoHMaTqv8BIYlc70Xz:kKn5U8N3nEcNxEZcCQ81jlgHFTzHKy

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64e2baf26e17b75f52f7fe63a01e8140_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\64e2baf26e17b75f52f7fe63a01e8140_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Roaming\ServiceData\c2Gt4H.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceData"
        3⤵
        • Drops file in Windows directory
        PID:548
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        3⤵
        • Creates scheduled task(s)
        PID:2388
  • C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
    C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg"
    1⤵
    • Executes dropped EXE
    PID:4532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.exe
    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ServiceData\Davonevur.jpg
    Filesize

    495KB

    MD5

    b36280ab2514b1772d2058fe14633850

    SHA1

    57b4b40365eb4e26aa9f9125acc9965210776195

    SHA256

    a3b628be13ef3a1f09ab8e4af4f59203e7e721283bd9414f2a35c03abd0ecf46

    SHA512

    7c13c658c2be4430aa7e6fa4a6b6116a91e5cf5c9ce425eb698236193b96d12656d264ce3f19940a17b8a59f7b7e5dfb1ea0c0c9dc381a788c3acf4f8fdfddfa

    Download Submit

  • \??\c:\users\admin\appdata\roaming\servicedata\c2gt4h.tmp
    Filesize

    491KB

    MD5

    9533ba8d9930f60f0b6257bdb79b2384

    SHA1

    b0b9dc920e83343784e818dcf4d9607de51118bb

    SHA256

    6a30579a54855ff5899cd73278d61e6b3d69abadc7ffedc6c0e0c3aa03594131

    SHA512

    e86c782b98b28e8eefc03cb703eb2c640d6b748285b76c93f8a892e2427a20de00c7dd4c141e1c38e69b2f78b54f6705e2ae40071aaba0392193fc1a7071259d

    Download Submit