Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe
-
Size
12KB
-
MD5
e3d56cb8a1888a094bd62f0c55b20120
-
SHA1
1deb91560f6f2d9df5c1e554b14cfd4ab0081bf3
-
SHA256
678a9e0f6907b201d89975a23139c7e9b56fa092e071e67fd1073d82e73730f9
-
SHA512
323d46ca80409e87bb7b26ea0718749e2f0c3bbadc4a8ab413d37d50fade5d17958b38b54e450d16a0cbc47390bf48706edf6197d919dbf59f84a1edd481f4c5
-
SSDEEP
384:cL7li/2zTq2DcEQvdhcJKLTp/NK9xaqd:6fM/Q9cqd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 872 tmp1F93.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 872 tmp1F93.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2496 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 28 PID 2724 wrote to memory of 2496 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 28 PID 2724 wrote to memory of 2496 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 28 PID 2724 wrote to memory of 2496 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 28 PID 2496 wrote to memory of 2544 2496 vbc.exe 30 PID 2496 wrote to memory of 2544 2496 vbc.exe 30 PID 2496 wrote to memory of 2544 2496 vbc.exe 30 PID 2496 wrote to memory of 2544 2496 vbc.exe 30 PID 2724 wrote to memory of 872 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 31 PID 2724 wrote to memory of 872 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 31 PID 2724 wrote to memory of 872 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 31 PID 2724 wrote to memory of 872 2724 e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4rzhffo1\4rzhffo1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc956E107DBECB414AACC93A5DA6394085.TMP"3⤵PID:2544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1F93.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e3d56cb8a1888a094bd62f0c55b20120_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51917ea283c54057cbfc470621710dcea
SHA1bfcdd3c101e1086d0656e8a3e066df25c6aa4016
SHA2565c975a00aa6e0f1f1899ea1699f1ade975264098bf433fc549c8944cd2c7ca67
SHA512c95fb08df95d54738cfeaef974902d3b6e766a0317f8af73ce50393a4b68c426589a5352288edb9bee5dbf8c3fc90f4c15f5362e4bfa5545966bf03dc19c84cf
-
Filesize
273B
MD5f832be721751190d509d2e40b2d71e15
SHA192a0a70f804252e9b0b5c2de208ff5d8ef7c8518
SHA256f569a13dc3de0a458fb03049a0bcc791cdd8444fb1f94835c355cf9abf434f0c
SHA5121d9e161a48d63cc39f059cbd5140ddac88960118998f0a4e480fea936bc371de5e537bea5cd4b5cb451bb56f058bd8b72ec114df30f545dc4f9c29d57f246a16
-
Filesize
2KB
MD572cfea5b9ab0d00615f9193af27751a9
SHA1d0b99400510e2f4b280c9876047fa389ff660bef
SHA2569f02c33cc7f6037aadff6820ae87e53c1fd6a362866536d48b0b2f2fcfc840f3
SHA512a4bf2c20b383e86bdacf8e1cb877bdbc187c70d18dcdef9c4f064485563d108af35a727f72bf7735b7d96801980319e2a606c61d3639fef85033a74988409b22
-
Filesize
1KB
MD5ab82738548c36bba9614b7835237e379
SHA188f96dd3d197a2ca24d4482bb500c659f84cb700
SHA2562e3e8515f811950bd1557412748b33084556a857de84d633211d931718ca7d78
SHA512ab93f9133d38983c07feabce7260d959045e909676d0681f36ec2ec870fac18fb2d84da367ea556b078291a073edda6ba91c4bbad42a662fd7dc8440454ca3af
-
Filesize
12KB
MD5fd86a4a2d3eb81ecca777e8a61a23acc
SHA1ed490138594cea9104298db1f0d96c60c9b3a5a7
SHA2564664dc467b64b2bda85949d14c8bd2dafe36385771a59d473238ba2627845e0d
SHA512dda6a4917b8f504eca6536c6134f7e63166c046958a4e5fb4d8f2be047bc7590374d4588bdbd2d908fc6d595b41fafe3790b7e4aac57700084d49ba3a96b67b2
-
Filesize
1KB
MD592c4c18a585fdd7e5b5937629f632116
SHA10a229bd1e9d1b2be81217ec86cd7dcb4fc9a55f9
SHA25601d05348d45bfa07f7b9db9f439956134e18c813302075da43751c10f0bddf31
SHA5120f3687bd3e8070c1ddc49db2daaa912de437d126434bb4a543ca958fc70f538a41d0af0ea0e5cf99a36cf072450ed6d0abcc497af5233d3f95158ed662e552ad