Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

7011cc050b...cs.exe

windows7-x64

7

7011cc050b...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16/05/2024, 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    7011cc050bdfc4ba002c47a27d7aa470

  • SHA1

    62d0239706dd6bb7406171b3bca55136e251d04a

  • SHA256

    28b8ebecd0379c57fe368aaddd0ecf30827a9a9889b63ea06384dda5c8e39369

  • SHA512

    a4278e19bc6a1038b7cb2610cfd1b4dc80f3436bfda49219797303d24e8d40151c7dcd9333c1a58663a33658e0e65f05ce456b65edf36070bdb5462fe512c931

  • SSDEEP

    384:WL7li/2z5q2DcEQvdhcJKLTp/NK9xabu:Q5M/Q9cbu

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihhsjsa1\ihhsjsa1.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc37EC36432C6A44F198D18CD5FCB67026.TMP"
        3⤵
          PID:2888
      • C:\Users\Admin\AppData\Local\Temp\tmp1A65.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1A65.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7011cc050bdfc4ba002c47a27d7aa470_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      9e4f10d8f08ef35faf7efba2741f2782

      SHA1

      cf35806005d3eff1ee892a425de6b7597e5a8f14

      SHA256

      9d0302dfe3e35b53e4db56136dcaf5e56639908a648cb8cbe1d57d977799b432

      SHA512

      0bfb79d47953f591c2918b18256794f7d108c2f3d1bed1aaa684444a632fb30c421604757ae4188dc5bdc22d23fdc00f98517a1d58569fa8c1b16ce2c71e2b6a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES1B6D.tmp
      Filesize

      1KB

      MD5

      0608e8acab0459ee79d088318bce01ff

      SHA1

      7241bfae66d7ad1f4f23a70b2bd966d3c98280f7

      SHA256

      395cbdbd43ec5936937d7ebafe3a57e388d27e11ccea78f9a099066b95ab8ef9

      SHA512

      94b76d320e369c1747e0cb6144c2af145de89307889f15479b1b405f8806a7229c8dbb10bcc7b2aaf8795ce5b0fd038f8f1eeb8be5434eee7b9663a34871aa16

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ihhsjsa1\ihhsjsa1.0.vb
      Filesize

      2KB

      MD5

      5dc1623b4ed0b38b24fd49eeb3d3b706

      SHA1

      482dfb4d979ddc1f3841ecd3afa80d37b71a3661

      SHA256

      dca8d9ee2a2aad256e87b58d0ae0963b2d89a8d01f3885b9e3c2c3c3b1d0b4e7

      SHA512

      139237cfba8a7300c0d5ed7f0837c680d62427380b9392dca81d7cde98f247d7658bd271f9ece148f46105d2494c09718cf1009490d80eb4084d82daeaca9985

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ihhsjsa1\ihhsjsa1.cmdline
      Filesize

      273B

      MD5

      1d2177a8498d464fc7d266730a7f2604

      SHA1

      035ddf8ee1d27db81ece03db5a489efcd739e248

      SHA256

      de42141a479c43f65e4f4d8577ec491a9141b4f0f85c765d9069d344ab44813b

      SHA512

      6b1989571310deb083b396daa0c949807ca0b6d4fcc25dda51d02e67b0c28c5f7e57b5dfdc7bd1e4e85175acb934e2f1e43c3908523a42c81fd7707835379e07

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc37EC36432C6A44F198D18CD5FCB67026.TMP
      Filesize

      1KB

      MD5

      1f89c9af7679fe801332653647c35b2e

      SHA1

      de027fd3cdda343c99b285aa6f27173cd192eaff

      SHA256

      08841e9b31c42cc44dbe48f1ad95d57635d8c0e820a8767a96ec1a64b9992f90

      SHA512

      8b72869622f6ecaf12920f2423ca43cc030a02022f87e7ab7038dc8660da130a8f3ad64bb4cb434e0dafcf53c2eab52a9216aefb7abc015eefb20aca3da4f026

      Download Submit

    • \Users\Admin\AppData\Local\Temp\tmp1A65.tmp.exe
      Filesize

      12KB

      MD5

      db3f73d2b5a0629ccdfb814035a3407e

      SHA1

      777d77cc960d60f94c2cb2abc824d54f7a1ceb95

      SHA256

      8e99e6dec69104ea8cbafcb4cd0bb68ca3a40cb309977725aa70b087306886e6

      SHA512

      1bda094e73174dacdb9476c65b54ae43a4933c66f65d93032aa6b75d1deea2b9ed96bb169da616bc2a82714998d126d1a4c6360fb6b18fb6397d47c9293fe61c

      Download Submit

    • memory/2320-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2320-1-0x0000000000060000-0x000000000006A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2320-7-0x0000000073F30000-0x000000007461E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2320-24-0x0000000073F30000-0x000000007461E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2680-23-0x00000000003F0000-0x00000000003FA000-memory.dmp

      Filesize

      40KB

      Download