Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe
-
Size
841KB
-
MD5
d37fa204010d8351a6f2d6406c6cd020
-
SHA1
f24316416c6526ce14450fdc3a1c6474e1be9ac9
-
SHA256
ee9099a6fe31d5b8e2389a8a6a88ca77edbf378d31430aa598de6248408d2292
-
SHA512
2c48195ba1f0c1329584a43bc01dc6b430e79a90b423b5dfd52e94a5aced3a70d15e0691d7f6d727f55fbe223ade8750523f223619ad7f0afaffd7fe90b22729
-
SSDEEP
12288:l13ElZw9bISFxyfodkrF0745EenMa3w8zEcMlG/Pkp6xH+GUrz/gxJET0q7cgY4V:l1Ma9ESFxeoduF645eaDzXEj
Malware Config
Extracted
redline
194.26.232.43:20746
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2560-20-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2560-18-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2560-16-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2560-13-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/2560-11-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Loads dropped DLL 1 IoCs
pid Process 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1896 set thread context of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2560 MSBuild.exe 2560 MSBuild.exe 2560 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2560 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1896 wrote to memory of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29 PID 1896 wrote to memory of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29 PID 1896 wrote to memory of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29 PID 1896 wrote to memory of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29 PID 1896 wrote to memory of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29 PID 1896 wrote to memory of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29 PID 1896 wrote to memory of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29 PID 1896 wrote to memory of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29 PID 1896 wrote to memory of 2560 1896 d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d37fa204010d8351a6f2d6406c6cd020_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
397KB
MD55448e865680ecc9fc71b564ab8c61c15
SHA1a101dc0c2113cabff54c1f37cc32240353a7c180
SHA256e84a67bb8079e12fd589fecb65c7113328c1257db536f3eeae7013340f6e8512
SHA5129630400cde5dbd33e8fc862ce69da3f275bb9b7f5b22a3967acfa1523385a44aae599f5bbbeb6e649120153c77414edefef8b0c13851c2770e43cd300b138ebf