Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0591e90287...cs.exe

windows7-x64

7

0591e90287...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0591e902871572f082d993695ecac470_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    0591e902871572f082d993695ecac470

  • SHA1

    a10f26262c9f693994eb1acf18922464ae823b76

  • SHA256

    8a7a8c518cb2a54a30dd01a88e0ef7adb92144ec3e968bdd961895443d1c16ef

  • SHA512

    423fc323d851f5a615faa28afae42b976b73aba16df564e528b69b225ba6689ea557a6ed59b6f0668460afbd183e7680e1e0d4ad91b7cbf946b538672474e3a7

  • SSDEEP

    384:hL7li/2zMq2DcEQvdhcJKLTp/NK9xaWV:BIM/Q9cWV

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0591e902871572f082d993695ecac470_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0591e902871572f082d993695ecac470_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z2qi1wc3\z2qi1wc3.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA13F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21F3AEE2D09F43E5842421EDDD3A05C.TMP"
        3⤵
          PID:2604
      • C:\Users\Admin\AppData\Local\Temp\tmp9CAE.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp9CAE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0591e902871572f082d993695ecac470_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      661cd275fd72be6d3e5d7ecbb667c91e

      SHA1

      d4911b3bd3d7b96975bd3da2f051e4b1753b251b

      SHA256

      8882461b44be62a6b4a33dd6a5ba5e6ed4b59bcfa47cf6d1e2c4f5af52bf4983

      SHA512

      3ad7f5006bbc8b888587b0239648397c7627cc538a3b10e93c4136b708f92367f94c5b2efcbe74c57a717dd2e9ca801c907fe20649f7058ad027fc42157fcf47

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESA13F.tmp
      Filesize

      1KB

      MD5

      6ece48f175f6799279a80e5f652535a5

      SHA1

      43f7a8a72d729d6a4a2b272906efc7b55115e2a8

      SHA256

      bd328055d1821b1ef5a07290a3acdba057cd83353ed9c5f47c0fcdfa6c4402b1

      SHA512

      27dbd25ba0d4d466a1c10747bf3c129262639006709ec91aaa7675085155a3c2e85ef3a207c5ff7564d933f93f8bba3e0765a71943165c636f20ec64a4728498

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9CAE.tmp.exe
      Filesize

      12KB

      MD5

      2be5014a64f54df54aa7c005f4edba11

      SHA1

      cc3bca6690e5657230cc94e954817e9bd53bd01c

      SHA256

      a104a88d8156185842e69a4e826d062e9fd42194ba81838bbdb6260123cb1967

      SHA512

      f90594eb272afe3ea3e59549728a1d89c040ce333a0dd8abfaa934338fc4f9ef08408797af76bf612db3ef029097a6fb08e5438daf89d9eb852d438be6049861

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc21F3AEE2D09F43E5842421EDDD3A05C.TMP
      Filesize

      1KB

      MD5

      6f5e490b880ea7657dc010a8aab2a812

      SHA1

      72da794eaa294f1da77ffd6f5c6fd82f09d9a281

      SHA256

      359864b70b949bc4ce77695b9eb9d7dab8c4b33d17e1a60880b7d4f088647d91

      SHA512

      2e7e078b123679a761ddee28e9cad87f8c9888a4718c9bf454eb69d9dfb35bfca31f2f19b12172bbbc8da02460c8dbf01fda708673f7fca663fbcf02ccaec09e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\z2qi1wc3\z2qi1wc3.0.vb
      Filesize

      2KB

      MD5

      140da8cc32c35aa30ff91c149e38afd1

      SHA1

      f63a570a347d6a9fda21d13b12bfa8bea2cf05eb

      SHA256

      831f8ceb917b9c3b6d0600433b9d6d6834d030e2873b1c8d3ff1720949c2603b

      SHA512

      1fbb3e4ee785bc2a289f4e7f27c25fe9db56ac00471608836631e7b2d0d579e6d3d3a337019c5008e729b0d19024459359b07765370c8e5534117c317068285e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\z2qi1wc3\z2qi1wc3.cmdline
      Filesize

      273B

      MD5

      bf56d19493cd326669728a2d74b14273

      SHA1

      52129752200d622d9faa90d6dc4b97049496adc6

      SHA256

      513c251a375915ce4f42e0657a9fcecb5f0a0ddf6dd73d74fc1d2a3e7eccca5c

      SHA512

      5735f3fc3a2cbdba2531115447ff7d83f3d861f2479bd88ca4a446b7be70a01cfc76e2ae5ec3ca1205115cbf811bc65afaa00ffa760bb78a8539ebf2a63cc46a

      Download Submit

    • memory/1084-0-0x000000007470E000-0x000000007470F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1084-1-0x00000000001B0000-0x00000000001BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1084-7-0x0000000074700000-0x0000000074DEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1084-24-0x0000000074700000-0x0000000074DEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2936-23-0x0000000000C20000-0x0000000000C2A000-memory.dmp

      Filesize

      40KB

      Download