Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

d34a4fb498...cs.exe

windows7-x64

7

d34a4fb498...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    d34a4fb49868a07637ff78539d9a98b0

  • SHA1

    6b9d005662c65598814abd8aeadc5866928f7c8c

  • SHA256

    c392336ce40a0e5fd21978898d7814b4a106a177a1113636e81d5babb675c48b

  • SHA512

    ceff157513ab97cff0e43b85dbf328e1c0409e76c5413020dd4fb6fcddce130d831ffd56598d49f99f361605d7449ccf74ee7517acd09eb71ac241576af2d711

  • SSDEEP

    384:GL7li/2zqq2DcEQvdhcJKLTp/NK9xaU1:giM/Q9cU1

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m2nczlyl\m2nczlyl.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3D9AD5142674842AE4F2A53BAC8901A.TMP"
        3⤵
          PID:2660
      • C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d34a4fb49868a07637ff78539d9a98b0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      bd9f80fc88b2ef37a6f03d92f0a9eca2

      SHA1

      f5596b52159bd5e589dc4dd4b7fdd46b31766337

      SHA256

      77c48359f4455a5ddef37ee1d822da240be6bcafd1e3c37c08fa24f00b567c84

      SHA512

      aa06214c4d06e03707f9b676b614dc62e5b3158cc83abfc04f127af7594e810b9e9bf1f1a4a4da3724542cb914c16d54f8bc62906117483fb0d513d4517d2311

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES2E12.tmp
      Filesize

      1KB

      MD5

      71725921438bb3b75548180b04c9b6d0

      SHA1

      b5d5962cb4ae3843c14eff51096fd8321538c190

      SHA256

      b1e89cbbc49ba4b770460a78e5dc98c6028d83e3c07e14a0eee73c846ffed920

      SHA512

      5cf2f66221c1956fcb551d25d0092ff8d7abc64c2221f40ce97758fbe1003cf0fa5d617d9fcb2757a281e342913b7e88bed9207aba91e21a9eaf0d82fbfa4cae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\m2nczlyl\m2nczlyl.0.vb
      Filesize

      2KB

      MD5

      6d1799b81514da64677c58c1f929f8de

      SHA1

      5f4750b5ce7bc3cfd8350dc7e017cfc7aab60ef8

      SHA256

      0aa8a0854f22e9fd765d99c5b807865f46fc692a675dfa24184fbfadac0f1323

      SHA512

      1629d5e1f594cdba3224134141c109f0d25aac84bdf32149f416034a2002ca1f7d0b95c7b9649c778a2d1799ce9736ca23ae84adb8efd8caada93391512c87a8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\m2nczlyl\m2nczlyl.cmdline
      Filesize

      273B

      MD5

      93c0eb8fa2833563e345e7e7bb8f01e4

      SHA1

      97b8b9d14a6d69a87d2a8795e1abf6144acdbae8

      SHA256

      b5a0d0a7048217e0e3ad5d3d7f6f31e090b40308ebbe04494d0f39bcfc8883ad

      SHA512

      d72f1dacb06b21a3def3fc9c9c2a28862da88b6a540528abd73f43f785d7c53c8505e286fc1d445602ebfc862232c09e63cc9a05de4dea5f878e925433010166

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe
      Filesize

      12KB

      MD5

      830f9d5440d0b5d306452c511877aafb

      SHA1

      c095d4269793bd6e75de6c500cf6bc782746cb3a

      SHA256

      b1e2723d47f723f5b8edd1c3a5d2736af75a8973de9443483f30d2e560632233

      SHA512

      7e0134604688189c10e6a18eccfa7d65d474f6ca60592bc7194998012a19865b3c66cb9b93e1f5f341166e39948f46fa7ff54cc3be151925bdfc0635095c4b3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcE3D9AD5142674842AE4F2A53BAC8901A.TMP
      Filesize

      1KB

      MD5

      92ce27c88f0f824b836fc9d08e2a1d0b

      SHA1

      2d3039de3095115b303f64889712d0a0884efb5d

      SHA256

      b79ab0f2f030d79ded08f2b02e8ecdec97d0dcebbcf69007f4dbdfc995050fcd

      SHA512

      efc0cc201646eafb7727e0abf6758a1bee9f041ad8f2ec905f5a2caa9bfe9f7a8b0251480a67284df4bbf48037b37c9139fa35549f60b1eb15cfbc67626680f7

      Download Submit

    • memory/2104-0-0x000000007458E000-0x000000007458F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2104-1-0x0000000000150000-0x000000000015A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2104-7-0x0000000074580000-0x0000000074C6E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2104-23-0x0000000074580000-0x0000000074C6E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2760-24-0x0000000000230000-0x000000000023A000-memory.dmp

      Filesize

      40KB

      Download