Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

36ee18c553...cs.exe

windows7-x64

7

36ee18c553...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe

  • Size

    623KB

  • MD5

    0e3032eb8d5e9402786852acea00c450

  • SHA1

    b39591df4b70a4a69c2647e50f1196e5c2e2ac89

  • SHA256

    36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d

  • SHA512

    38f8abb9f4ad97a5b75d3a54a62c7a4805e99ee3ebb0caebf97cfe5b178fb5efe783b5464d43175339eb4f500de47bc0d54702427270963e11ba707d504449cb

  • SSDEEP

    3072:vtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQuoYKN6LSSe9o6Y:luj8NDF3OR9/Qe2HdklruoYk6LReM

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\casino_extensions.exe
        C:\Windows\system32\casino_extensions.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
          "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
          4⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\SysWOW64\LiveMessageCenter.exe
            C:\Windows\system32\LiveMessageCenter.exe /part2
            5⤵
            • Deletes itself
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\LiveMessageCenter.exe
    Filesize

    640KB

    MD5

    c103735813981d3b800bf597cc96c425

    SHA1

    78ce93248ccc9f7b2a3e1cf2a959a0365635307c

    SHA256

    f3c08aed4b7ad9f58946ff32617a1aaf43416391af145d5d985689871a5beb81

    SHA512

    3622a82e259b13fef2dda8da47da5d6763b784cd22b1ed535f38486fc6c54adc27a108e9faef786748a92a9ed6c1d20230cf556216316e8506293437f21270a7

    Download Submit

  • \Windows\SysWOW64\casino_extensions.exe
    Filesize

    625KB

    MD5

    03adbb91a16809bd6fa059a53ddfe040

    SHA1

    c3ec32fe9b94e866c1fb05f4c74ecd7357166b6b

    SHA256

    0f107e7e62c98d3fceae214e8f72cda412cdf2a3f0792229ebe43ae4eaaec91c

    SHA512

    5f7058fd6f9c8baaaf93b8bca36a980b755076075bf1e0a8ff420900e41aaf5a3cdbc20a5bc20bd1c5f5ede64845933e1ba00611db76d957584c66093522d187

    Download Submit

  • memory/2364-20-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download