Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe
-
Size
12KB
-
MD5
18be8734f158add81a1d6123270c7e10
-
SHA1
33e6e05ec5f55c7945b8993dcb947ad4b3a6c165
-
SHA256
492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054
-
SHA512
a87de3c25201319c005c14a9328eada2640b220c8c618df3cf6e22dfcecd80b9deb240a87ed33f3e7a5ba2ab62a851003a8661187a52b931d3bc825d57f3ce47
-
SSDEEP
384:EL7li/2z8q2DcEQvdhcJKLTp/NK9xaet:S4M/Q9cet
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2716 tmp2618.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2716 tmp2618.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2244 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2244 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2244 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2244 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2604 2244 vbc.exe 30 PID 2244 wrote to memory of 2604 2244 vbc.exe 30 PID 2244 wrote to memory of 2604 2244 vbc.exe 30 PID 2244 wrote to memory of 2604 2244 vbc.exe 30 PID 2268 wrote to memory of 2716 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 31 PID 2268 wrote to memory of 2716 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 31 PID 2268 wrote to memory of 2716 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 31 PID 2268 wrote to memory of 2716 2268 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2y3fregl\2y3fregl.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2710.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C4846F97D424E55B2F6D7F8F2F9AF8F.TMP"3⤵PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp.exe" C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD576dd5118cae0ee6772bce2852ee9a49a
SHA13067f5badbf12320a3d6def782680f0eba5bbe0a
SHA2560c071bef990d32964d3f8560bc83593c76697aebd0bae2ffadbd7135808cb973
SHA5127e4d5c4b17033712685c79e432780d1841e91fc44c011755a57d2ec8c4d9317c46b749b3a38d6dd4cadcea99d74f2f2d4a9ea8e8638e441961866f1c75696540
-
Filesize
273B
MD56aa3affa2909823ce623893b20bfa9d4
SHA1e94cb8e0f3113f6fb5e9bf9366063b16df9514b8
SHA256bfdfc52ec0d01214deecfdd8bdd63ddad515e1ee3554ad86879b755f6ad1ab79
SHA512abcfa77ea91f32c0df9652f50d9b94d1cdd946f914bc842d8d1331f56f11383987db807df48d7c8143e1478d4d31816c7f58f6afa5fe3b9f10cdb063db1b6241
-
Filesize
2KB
MD51175978d3091e9bee5db76440b9bdaa4
SHA1a6198a5d9d75b7e8ba076d97d5b88f59356cdcb6
SHA256e523f5fa0a51cd9a6b171ce0f9628359431c8bafb36ee8dd840907a5a613ab33
SHA512a2937b4a42ad7df2b83ddad1c3817432ac23214594ec1d08e2e3d1718f29c78ecd29c01bc072ec999b0d444bc0e2e029ff36ad70304c413a036d02169e23801b
-
Filesize
1KB
MD58b384b82394bc7459d744907f7ce4dbf
SHA18ee51e42cead6455e07e6569558e404db943e487
SHA256394097086ee1a2ed24295b7c51494e92f06f5741b32996fd9b085d09048536b7
SHA5127fc56a2e944e1e3d77068de348f0b6b3ea43e2adf1783e4f4e185b55843b9c5fc350702d9fc9d23a7840c18c836b7b2af6c23bb591d4950886ded6672f3ab4d3
-
Filesize
12KB
MD5edfeae7f8900858a76ce2e7e025e3e04
SHA1a6a3f15e7570812a99f920761b63b1f4e77a3c8e
SHA2569c5982fc69a562f8bde8275774630e162930bd4b38ca22cf8c51195f71511a52
SHA512264cc956be73f437867838714868aeece725e421bfeabab7f74af215d283a5db477007d20cde208345a76a5dc1954a47e159b504df301f0bf5a667ecb80c9f41
-
Filesize
1KB
MD5cc4ed7a9c67f9c040f448abb29adc0bd
SHA1b59b87a87259b032a07955a948b02f4ee8f6c27e
SHA256ecdac5b87667b1d8d038a5f21d9837407bb2b4cfbb120093569cef98674c7468
SHA5129846f306387e4cbff7246c17083fe8990488fb4c6742f5a67c1880a7134bb1ab4f6c8c9666f6fdac61e28a5e7fdd5b8d60af33e2fbeeb368f5b10c1e3c7ec077