Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

7995552ec5...cs.exe

windows7-x64

7

7995552ec5...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    7995552ec5d9ca6284c9c94c7de66710

  • SHA1

    2620702821bb798f7f5624408238643c5640dc6e

  • SHA256

    735a47d1309ba80f1a55ff77f0069925f009323eef977104351c60d76bc5fc50

  • SHA512

    dffabef87785754800bf053301eaca83ab7b545a8c4f0616df2b324d9eef9407c62d28a42ca2df9ce026e27a36000a5d17e3d75623ca3624e71d68f4ad9cca97

  • SSDEEP

    384:YL7li/2zsKq2DcEQvdhcJKLTp/NK9xaHk9:mgOM/Q9cE9

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\42j2a4q4\42j2a4q4.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES253C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc913A1C40E0434B1C9124ED4167A684AE.TMP"
        3⤵
          PID:2608
      • C:\Users\Admin\AppData\Local\Temp\tmp2398.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp2398.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7995552ec5d9ca6284c9c94c7de66710_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\42j2a4q4\42j2a4q4.0.vb
      Filesize

      2KB

      MD5

      5efb56ca6cfc2afec71a6333a4b71412

      SHA1

      e9560176f99fcf2ac88865150bfe85023c38ec57

      SHA256

      0067659ab1e2232553e33bea0f7a4b016028435366faec1ca734d1993a7a5241

      SHA512

      51e9f245a39fb3b18ac82f57d056d6838f05d45da3c85d71ff5c20ce0883a33aecc50f75617fe84fed9ed0567aae80b6bb12b3ecae09163e8b23830e145ee702

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\42j2a4q4\42j2a4q4.cmdline
      Filesize

      273B

      MD5

      fed164a433067c968125311e2cc08b55

      SHA1

      8a3d125ce38540d1d9338bb65c8524bd2c8bd8aa

      SHA256

      7e1231cc7892b424ad76c7cf9c6a10f3053d6ecbb4f6c6c55909094799cb065c

      SHA512

      81c33d412edcd22d22dfe448fcfd05bfe9a9b8b29597de8055bb8c015aac7210e44ce4ba450bebfc8549de6e196714209bc72408576fef390f2769df30b281c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      e5e451a4ca8d0bbb4b727e36a5db300d

      SHA1

      8bcbc1678562039ba0661925286d5594a4be8f62

      SHA256

      ab82be6abfef1a5419fe8b4c69f3d5997be358303b276917ebdee24ad3e703c1

      SHA512

      64e955b8642a03fa79e1d2a7f20f2154aebf087eb7580f1257dce50bdd16b965c20b4301608a4a41a15343c2dfabd94481ea102467fb7b921668112e2fa6d994

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES253C.tmp
      Filesize

      1KB

      MD5

      efc8556822ef95a9c2e2f38764d0586f

      SHA1

      043e4c33da6d95fd75eebead86f6373d29b26e8f

      SHA256

      906e2638961215d44b9dc9c0873de54db4a13f8fda813adfb3f9b76d2b3fb717

      SHA512

      17a99b6e804ea651629d64ed0ca30eaf005223357a8e81f48eb8fac69817863e0cca0a0e57a96f14b255ebc119a2b7460a53ca3ad2f59b5ac47e19242962dcfc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2398.tmp.exe
      Filesize

      12KB

      MD5

      721fe1a30c1be42a6f9eba1b85aad89e

      SHA1

      d78fe3a3c343199b6b4d21e2194389f326c325ff

      SHA256

      a86ce210e44e83969ba47f655c2a11d2ba610a8781a18b22c8331289c34a03eb

      SHA512

      1afe0d7f495d66385a6a381eac8873f783bd7895d0df4e516c48ac636fecc25b5b70bb4961103ae7a16a6a2b4bdbbaf05e1e66fe13048410c65acb06036aa7f7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc913A1C40E0434B1C9124ED4167A684AE.TMP
      Filesize

      1KB

      MD5

      70c207ee35e91fd874a7aac9d625b8d0

      SHA1

      2ab2454daf510b36ba7168047b4b0632bfef9032

      SHA256

      979ace2b6aca2ab2f14fbbe1357fbf296b46b0f3556ae5ac0230dcf7034e60be

      SHA512

      beb6b7e71cefeb7dec6c979706f03fbf630b3ee47fd86458b91283ae1acaa9bba36bd7bfa4fa3c1a3459761f27182ef7e931000fca7d2084ffdc62075f3bbbf4

      Download Submit

    • memory/2216-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2216-1-0x0000000000B90000-0x0000000000B9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2216-7-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2216-24-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2712-23-0x0000000000F70000-0x0000000000F7A000-memory.dmp

      Filesize

      40KB

      Download