Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e3d56cb8a1...cs.exe

windows7-x64

7

e3d56cb8a1...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2024, 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    e3d56cb8a1888a094bd62f0c55b20120

  • SHA1

    1deb91560f6f2d9df5c1e554b14cfd4ab0081bf3

  • SHA256

    678a9e0f6907b201d89975a23139c7e9b56fa092e071e67fd1073d82e73730f9

  • SHA512

    323d46ca80409e87bb7b26ea0718749e2f0c3bbadc4a8ab413d37d50fade5d17958b38b54e450d16a0cbc47390bf48706edf6197d919dbf59f84a1edd481f4c5

  • SSDEEP

    384:cL7li/2zTq2DcEQvdhcJKLTp/NK9xaqd:6fM/Q9cqd

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc956E107DBECB414AACC93A5DA6394085.TMP"
        3⤵
          PID:2544
      • C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.0.vb
      Filesize

      2KB

      MD5

      1917ea283c54057cbfc470621710dcea

      SHA1

      bfcdd3c101e1086d0656e8a3e066df25c6aa4016

      SHA256

      5c975a00aa6e0f1f1899ea1699f1ade975264098bf433fc549c8944cd2c7ca67

      SHA512

      c95fb08df95d54738cfeaef974902d3b6e766a0317f8af73ce50393a4b68c426589a5352288edb9bee5dbf8c3fc90f4c15f5362e4bfa5545966bf03dc19c84cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.cmdline
      Filesize

      273B

      MD5

      f832be721751190d509d2e40b2d71e15

      SHA1

      92a0a70f804252e9b0b5c2de208ff5d8ef7c8518

      SHA256

      f569a13dc3de0a458fb03049a0bcc791cdd8444fb1f94835c355cf9abf434f0c

      SHA512

      1d9e161a48d63cc39f059cbd5140ddac88960118998f0a4e480fea936bc371de5e537bea5cd4b5cb451bb56f058bd8b72ec114df30f545dc4f9c29d57f246a16

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      72cfea5b9ab0d00615f9193af27751a9

      SHA1

      d0b99400510e2f4b280c9876047fa389ff660bef

      SHA256

      9f02c33cc7f6037aadff6820ae87e53c1fd6a362866536d48b0b2f2fcfc840f3

      SHA512

      a4bf2c20b383e86bdacf8e1cb877bdbc187c70d18dcdef9c4f064485563d108af35a727f72bf7735b7d96801980319e2a606c61d3639fef85033a74988409b22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES20CA.tmp
      Filesize

      1KB

      MD5

      ab82738548c36bba9614b7835237e379

      SHA1

      88f96dd3d197a2ca24d4482bb500c659f84cb700

      SHA256

      2e3e8515f811950bd1557412748b33084556a857de84d633211d931718ca7d78

      SHA512

      ab93f9133d38983c07feabce7260d959045e909676d0681f36ec2ec870fac18fb2d84da367ea556b078291a073edda6ba91c4bbad42a662fd7dc8440454ca3af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe
      Filesize

      12KB

      MD5

      fd86a4a2d3eb81ecca777e8a61a23acc

      SHA1

      ed490138594cea9104298db1f0d96c60c9b3a5a7

      SHA256

      4664dc467b64b2bda85949d14c8bd2dafe36385771a59d473238ba2627845e0d

      SHA512

      dda6a4917b8f504eca6536c6134f7e63166c046958a4e5fb4d8f2be047bc7590374d4588bdbd2d908fc6d595b41fafe3790b7e4aac57700084d49ba3a96b67b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc956E107DBECB414AACC93A5DA6394085.TMP
      Filesize

      1KB

      MD5

      92c4c18a585fdd7e5b5937629f632116

      SHA1

      0a229bd1e9d1b2be81217ec86cd7dcb4fc9a55f9

      SHA256

      01d05348d45bfa07f7b9db9f439956134e18c813302075da43751c10f0bddf31

      SHA512

      0f3687bd3e8070c1ddc49db2daaa912de437d126434bb4a543ca958fc70f538a41d0af0ea0e5cf99a36cf072450ed6d0abcc497af5233d3f95158ed662e552ad

      Download Submit

    • memory/872-23-0x00000000008E0000-0x00000000008EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2724-0-0x000000007419E000-0x000000007419F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2724-1-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2724-8-0x0000000074190000-0x000000007487E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2724-24-0x0000000074190000-0x000000007487E000-memory.dmp

      Filesize

      6.9MB

      Download