Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b4e7ed8105...cs.exe

windows7-x64

7

b4e7ed8105...cs.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2024, 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4e7ed81054fc59cb683727ddf5c7700_NeikiAnalytics.exe

  • Size

    786KB

  • MD5

    b4e7ed81054fc59cb683727ddf5c7700

  • SHA1

    fc1c4f6bba631951ea0f7e4c58fbdf352d749f19

  • SHA256

    7bf4ea67a4744def1c430e7fef939a1bd548da3f5b89de05b4721dc7ec3cacf7

  • SHA512

    220daf7668209d5ba3121986d1ef85f318bf51b5a59802b9531f94ca30e3fae068a5242d0eab411209e174a3132c82a15c68278762957fdb3c6b42f2b58c8e3e

  • SSDEEP

    12288:uwKfOVRo9yRYiQ7E4O8b8ITDnlOB1ZhIRPA0:uxWVeyRYiQ7E4O8b8ITDnlO30

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 42 IoCs
  • Drops file in Windows directory 64 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4e7ed81054fc59cb683727ddf5c7700_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b4e7ed81054fc59cb683727ddf5c7700_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RCX4A21.tmp
    Filesize

    787KB

    MD5

    9541d5cab6a79c692ef18f69b3d3fca5

    SHA1

    5c7cc70f2bb1ca80064d8330bff08efa6bf1fb4e

    SHA256

    c7b8e2d3fa32ec9c7c2183205840648c29163476df9d445728a377212f6690ed

    SHA512

    e569c6c1e331e2bcd9651b44107aa9e5571ef88f5292f4ae0419fdb3b3395dd8b490182d053ca832d2b70d2b06818844c81e9e342349840d2901985c4fb502e9

    Download Submit

  • C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RCX3FFC.tmp
    Filesize

    787KB

    MD5

    ffc5b3ddc1138c7d08539c61fd5111af

    SHA1

    732ca67d74ff6b4fc4e0cd9e739b6acdc175df22

    SHA256

    fc8528d7335204c0134ca1f6f1d02c31a2abd9b32acfcc94025ac5a7324f7daf

    SHA512

    8c5064c7e6a84a3c9a6339638065c58e8e46ac89ee701eb6a33eac7aaf4c13cba8cf7e735ae261298f8dbb05303021453b115e545c0b6b2097759c4b1a7126f8

    Download Submit

  • C:\Program Files (x86)\Windows Photo Viewer\en-US\WindowsWindows10.0.19041.1.160101.0800.exe
    Filesize

    786KB

    MD5

    b4e7ed81054fc59cb683727ddf5c7700

    SHA1

    fc1c4f6bba631951ea0f7e4c58fbdf352d749f19

    SHA256

    7bf4ea67a4744def1c430e7fef939a1bd548da3f5b89de05b4721dc7ec3cacf7

    SHA512

    220daf7668209d5ba3121986d1ef85f318bf51b5a59802b9531f94ca30e3fae068a5242d0eab411209e174a3132c82a15c68278762957fdb3c6b42f2b58c8e3e

    Download Submit