Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

d847213bf8...cs.exe

windows7-x64

8

d847213bf8...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d847213bf8f1b86d41d5a0d8d45f76c0_NeikiAnalytics.exe

  • Size

    40KB

  • MD5

    d847213bf8f1b86d41d5a0d8d45f76c0

  • SHA1

    9d8d4be75194fbfc2b0cdabe602c93e44fe2c068

  • SHA256

    3c26d549cf4a1f19aa4c118cd89b214d398c977b0861f8aba7852b14e01ccec8

  • SHA512

    03ec7fd498d90411529e834dde8281aac8e897f9ca5bc448f2ee9c6f794b94b558160ea58828ecb21f2ffd6740acb1f1384a8a98855e0ccdbc9632ab7077fe03

  • SSDEEP

    768:1m/QojCpHfx0Zk6SLZRI+WE6F2UzpHjhm8f10+a3:EQoj85LLI+W5lju

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops autorun.inf file 1 TTPs 26 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d847213bf8f1b86d41d5a0d8d45f76c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d847213bf8f1b86d41d5a0d8d45f76c0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\AE 0124 BE.exe
      "C:\Windows\AE 0124 BE.exe"
      2⤵
      • Executes dropped EXE
      PID:2352
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops autorun.inf file
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Executes dropped EXE
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\AE 0124 BE.exe
    Filesize

    40KB

    MD5

    d847213bf8f1b86d41d5a0d8d45f76c0

    SHA1

    9d8d4be75194fbfc2b0cdabe602c93e44fe2c068

    SHA256

    3c26d549cf4a1f19aa4c118cd89b214d398c977b0861f8aba7852b14e01ccec8

    SHA512

    03ec7fd498d90411529e834dde8281aac8e897f9ca5bc448f2ee9c6f794b94b558160ea58828ecb21f2ffd6740acb1f1384a8a98855e0ccdbc9632ab7077fe03

    Download Submit

  • C:\Windows\Msvbvm60.dll
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\drivers\winlogon.exe
    Filesize

    40KB

    MD5

    b88d41ea2279357efa9855cda64e71eb

    SHA1

    329e0889d6770574a8654eebb0cfe935a1763db1

    SHA256

    b76cf3532d9631e972838274b4261e459e64cb778af9f01c564a9a58f5d0dd66

    SHA512

    f26e3a22ad5453bdafc10cbdd98873efad1a8a0fb7b9c06e1609a879f8b5708a596f87d87ccaf39ad5c4777a1a3efea8d8666975957e9bd089c5c370b29a69f4

    Download Submit

  • \??\c:\B1uv3nth3x1.diz
    Filesize

    25B

    MD5

    589b6886a49054d03b739309a1de9fcc

    SHA1

    0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

    SHA256

    564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

    SHA512

    4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

    Download Submit

  • memory/2552-38-0x0000000003DF0000-0x00000000041FB000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2796-16-0x00000000037E0000-0x0000000003BEB000-memory.dmp

    Filesize

    4.0MB

    Download