Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b4e7ed8105...cs.exe

windows7-x64

7

b4e7ed8105...cs.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20/05/2024, 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4e7ed81054fc59cb683727ddf5c7700_NeikiAnalytics.exe

  • Size

    786KB

  • MD5

    b4e7ed81054fc59cb683727ddf5c7700

  • SHA1

    fc1c4f6bba631951ea0f7e4c58fbdf352d749f19

  • SHA256

    7bf4ea67a4744def1c430e7fef939a1bd548da3f5b89de05b4721dc7ec3cacf7

  • SHA512

    220daf7668209d5ba3121986d1ef85f318bf51b5a59802b9531f94ca30e3fae068a5242d0eab411209e174a3132c82a15c68278762957fdb3c6b42f2b58c8e3e

  • SSDEEP

    12288:uwKfOVRo9yRYiQ7E4O8b8ITDnlOB1ZhIRPA0:uxWVeyRYiQ7E4O8b8ITDnlO30

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4e7ed81054fc59cb683727ddf5c7700_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b4e7ed81054fc59cb683727ddf5c7700_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2496
    • \??\c:\program files (x86)\microsoft office\office14\library\solver\microsoftsolver32.exe
      "c:\program files (x86)\microsoft office\office14\library\solver\microsoftsolver32.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1884
    • \??\c:\program files (x86)\common files\microsoft shared\smart tag\1033\officemicrosoft14.0.4744.1000.exe
      "c:\program files (x86)\common files\microsoft shared\smart tag\1033\officemicrosoft14.0.4744.1000.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1032
    • \??\c:\program files (x86)\common files\microsoft shared\dao\dao360microsoft.exe
      "c:\program files (x86)\common files\microsoft shared\dao\dao360microsoft.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:792
    • \??\c:\program files (x86)\common files\adobe\updater6\adobeupdaterinstallmgradobe.exe
      "c:\program files (x86)\common files\adobe\updater6\adobeupdaterinstallmgradobe.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\RCX37A7.tmp
    Filesize

    787KB

    MD5

    040360bfb510a37e843e5a99adbcbadb

    SHA1

    10121f87c74492b568eb9cd510b7829fbc014435

    SHA256

    7676864420b08ce68e0ad4a8b7d661bddd23dd7f53c0f3e1f4fc4d1d1a38dc64

    SHA512

    da1ffe2fb60449887dbbf947a5c8a71f6a6d379883a00155d63afa5714de63a2758e7f07353d66861bb6ded09a3c0ceb8959f05e9c9e5a71eaba4284bceb3f97

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\ToolsWord.exe
    Filesize

    786KB

    MD5

    b4e7ed81054fc59cb683727ddf5c7700

    SHA1

    fc1c4f6bba631951ea0f7e4c58fbdf352d749f19

    SHA256

    7bf4ea67a4744def1c430e7fef939a1bd548da3f5b89de05b4721dc7ec3cacf7

    SHA512

    220daf7668209d5ba3121986d1ef85f318bf51b5a59802b9531f94ca30e3fae068a5242d0eab411209e174a3132c82a15c68278762957fdb3c6b42f2b58c8e3e

    Download Submit