Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

930c5ed384...cs.exe

windows7-x64

7

930c5ed384...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24/05/2024, 21:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    930c5ed38490afea5f8e625ae27b76b0

  • SHA1

    efd4d953b1316cb804fb5b483c544e3575010062

  • SHA256

    206c41107f4a1eaed6184b192f211a05b16cb1968825e2a0917792af1eba24e9

  • SHA512

    82a3adef52dad16914ad0350982d4f2f83c2a5389dfa60a15268572ca03fbd580c778ea522a423a6ca8564c28ed56819e34597fe246d98ca28880c47c3927dfd

  • SSDEEP

    384:lL7li/2zWq2DcEQvdhcJKLTp/NK9xa5K:l2M/Q9c5K

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vvgr2oip\vvgr2oip.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES254C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc448803D499004322A11B4DC35B68691.TMP"
        3⤵
          PID:2608
      • C:\Users\Admin\AppData\Local\Temp\tmp2398.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp2398.tmp.exe" C:\Users\Admin\AppData\Local\Temp\930c5ed38490afea5f8e625ae27b76b0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      ba0fa2e1e0076a2aa590b346529b4c4e

      SHA1

      f4fffd26518d5ecc7c26a074957c86aeb9142497

      SHA256

      d4853ef6715b83987ea4b85ba0bfea5fd7003cfc6a46ccbc09b5be242545553e

      SHA512

      b434c91f950223b29c0c9c6738d2a447dc240fca559eaaa85b9778f28ce6f2e83cd02bc83e5d6407789006856b563001ea217fd4c6aca371e9fa96bb834ae87b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES254C.tmp
      Filesize

      1KB

      MD5

      a221a3f0d688f8f3787a13ae5faf2a93

      SHA1

      2914d60bcd3d0f42f185bbfe32f5ec4b32d3be4e

      SHA256

      dc36eeb9bde7de077324c237d1084ca484bd621dd3ec047c7bd8b24d6ab4552f

      SHA512

      4d968d678f2db526a95873cdb3827b09f57e9042f18eaa4f4a188a4eccad26d6120d71de671fbe4722e5d30197652b7f8d472ca623efc150557dd15a8580fb55

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2398.tmp.exe
      Filesize

      12KB

      MD5

      2e614b79a4379fe1773122614ac3af8a

      SHA1

      9676b7ba030ad6bc01f98e8ec6c3fbb574430d3e

      SHA256

      6d4e175b24c4d9fa6943bce75ff7b4e8eeb99da98900fc1e1a1a0cc8b6b148b1

      SHA512

      b802288504d825c97f780d641beee71beb01173e81da5a3a18978be1080eb49e629616c4aae143f51c2ed6e21efe29907c8b5df7ec858dc4fd5c75cfb0e0bc1e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc448803D499004322A11B4DC35B68691.TMP
      Filesize

      1KB

      MD5

      70c207ee35e91fd874a7aac9d625b8d0

      SHA1

      2ab2454daf510b36ba7168047b4b0632bfef9032

      SHA256

      979ace2b6aca2ab2f14fbbe1357fbf296b46b0f3556ae5ac0230dcf7034e60be

      SHA512

      beb6b7e71cefeb7dec6c979706f03fbf630b3ee47fd86458b91283ae1acaa9bba36bd7bfa4fa3c1a3459761f27182ef7e931000fca7d2084ffdc62075f3bbbf4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vvgr2oip\vvgr2oip.0.vb
      Filesize

      2KB

      MD5

      2fd1fafc788e4fbe8f15df4074741138

      SHA1

      324becc4ec7a736eaab94e7071932b9d34aa65a3

      SHA256

      5c0d67b8fe18197f5cbaea25a4e16f6b0e3b0713b5c0389fd9415fcf0f237c5f

      SHA512

      7689f6a283a00c96e943bf897af2d38d339144f983915be588c92f2164c222501b1f03a143fd24a877ef7e74c00e1adf91207f3f09ff154e058345283888d9c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vvgr2oip\vvgr2oip.cmdline
      Filesize

      273B

      MD5

      723a27e3a101568dea9b9ec3c327f734

      SHA1

      096203c11a551bd02c92e54ebff821f59a0e13f1

      SHA256

      a081602f64823f182bdab02c4ba5c947d8bca89fe7a85f7c1342b24d132e6d19

      SHA512

      a388469b18b45c6eb5877ca12f57980276dd34bd5fde00db93228f95e27bd07f1b6d5d9397fc3c8655664d006035fc1f9a7c219b0409a8cade6009f783323ae0

      Download Submit

    • memory/2180-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2180-1-0x00000000009D0000-0x00000000009DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2180-7-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2180-24-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2712-23-0x0000000000320000-0x000000000032A000-memory.dmp

      Filesize

      40KB

      Download