Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a52f08fb5c...cs.exe

windows7-x64

7

a52f08fb5c...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 07:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    a52f08fb5c2dfbcad380b60a30e12bb0

  • SHA1

    b814c3cf79e2d9c2e490d3880e6e03bccdc862f8

  • SHA256

    0ab3180614dbb7acad5c529f3ec56483d40ae457447012721225e9795b4196bc

  • SHA512

    255c898bcef5d498877e7529ee7954379f3832d96c8f1dfc88dd8da374493fa2ee58fb384b6bf6ce524429fadba62307f6e213535bc22eb328ec558ddf1da761

  • SSDEEP

    384:vL7li/2ziq2DcEQvdQcJKLTp/NK9xalQ55:DSMCQ9clQ55

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0q4qmloy\0q4qmloy.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF391E9A53C564051A5D1D9362E6C58A3.TMP"
        3⤵
          PID:2712
      • C:\Users\Admin\AppData\Local\Temp\tmp17E5.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp17E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a52f08fb5c2dfbcad380b60a30e12bb0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0q4qmloy\0q4qmloy.0.vb
      Filesize

      2KB

      MD5

      c5b05cb7178f58d8374cde55531d4644

      SHA1

      4750680ad55c5d640c78fa597c14c6ef228acb35

      SHA256

      cd825fa6c0483642910555b7b401174d5371455e8789b7b335a367d849a4d722

      SHA512

      aa9a3cb2ff20bf970208ded15c4bb0606ffa440597d481db22370adbf67fe48487be3153e2f4c3e96cb8b9b2102ecd3a2c3c8d5435e8f7a4ba09d2d1f5b28cee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\0q4qmloy\0q4qmloy.cmdline
      Filesize

      273B

      MD5

      d9f208ef1372d380dcde7e84a7c0c56e

      SHA1

      70f315f7db1076af4b7f5b9192ef7e4af0525872

      SHA256

      a7f340b7a21b1a06d85450fe67be407f0c193033f22b22b9087a58b9332bf5ae

      SHA512

      14e0e84503a2d80751ee5c2bf26cd25ff022b9102a0e798f5e7a5a8e9d1059633fece72e85b9fe888e9e0b7b28cc95ee307ed7fd14df05b52e1d4930479296b4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      17e07464235c6ebbb59525a2a85cd6ea

      SHA1

      e436e92f3ca6446ae6d4ebddee3815193a29b83b

      SHA256

      3c4a90e4d63b143a282f6b7fb9c10c88de26e7489a1068684dab432e102f0317

      SHA512

      967a084924542612629373db1942212bce497f20510fc625f775e6dc9eaf13b696a42264d183dbe20d4878961058455139c43c6b2e3fc0905cd6ebdd3ab7fb3d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES18DE.tmp
      Filesize

      1KB

      MD5

      ffe93af41e000e0007abd012e6ca7e71

      SHA1

      b275fe833b56f2746dac1c608605a6c19821f510

      SHA256

      74db463dd239397be2d74ff14ec3beab72dc53e93bb2ef02a122afc8a7cd5b5f

      SHA512

      1491760149dfbe81a462221539fa75e4b7ba0379f48d7ea4823fad51b6d276139563bdf437dbcdb17223934ca3a0b8b4a79a054c7c804cd37f7a1cbff939efce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp17E5.tmp.exe
      Filesize

      12KB

      MD5

      fb9a823cac0989bb156abc7e898c81f9

      SHA1

      db05856712d00fa84d4299ec977096230d872bd1

      SHA256

      0029caea3d036a98bac9f4cc1baf7c460f18290cf900af7e8cec3407a2b59f66

      SHA512

      ef613706f9837701250e9f2f76f507f18ff9bddd40249b6096f6058e3daef1177a3ff7d7d71d398f62935185079b4716d6e7d41c978f64fbf862f0bbba76e601

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcF391E9A53C564051A5D1D9362E6C58A3.TMP
      Filesize

      1KB

      MD5

      d19dcacb157d87d29146b200f6f1e8f9

      SHA1

      42b1f0862bf8361832e738f50d2898b5f1582e11

      SHA256

      2e2d541352f76df1fb04d663d2403d421bcaf4c5476f79f57764e3c258159ed5

      SHA512

      1dd8bc090dc426872fe05e3f4ee1c841b6dbbc7235834c42b9b6c1ec37a4565748f9a587fb3874859a2c448788649e1680f9fb48aede590d2bda19d0f573623e

      Download Submit

    • memory/2608-23-0x0000000000920000-0x000000000092A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2784-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2784-1-0x0000000000890000-0x000000000089A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2784-7-0x0000000074D80000-0x000000007546E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2784-24-0x0000000074D80000-0x000000007546E000-memory.dmp

      Filesize

      6.9MB

      Download