Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

1f0861c924...cs.exe

windows7-x64

9

1f0861c924...cs.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe

  • Size

    215KB

  • MD5

    1f0861c9246a2f99c450502d398ee5c0

  • SHA1

    edc2faefbc97b4b5c46dbb3b36c638c13d341366

  • SHA256

    c7207f55b0fdb4d1b8101197cba305da13e7fafbde6980771d0ea79ab842309c

  • SHA512

    53814623dab0c115304aa1d35e06ba39bbb9d4ca0057a67be5301a878fa16ee209436b2c0ce17b0e990bc67a237cc0bbff80ec9f19f669a05fa78145d142de47

  • SSDEEP

    3072:fnyiQSo/w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ZTxx:KiQSoo9UpK7ShcHUaZf

Score
9/10
ransomwareupx

Malware Config

Signatures

  • Renames multiple (1050) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2872
    • C:\Users\Admin\AppData\Local\Temp\_cinst.exe
      "_cinst.exe"
      2⤵
      • Executes dropped EXE
      PID:2800
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2256

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.exe
      Filesize

      72KB

      MD5

      9b041b3df69122724c00f1d900395a90

      SHA1

      805e5e42a33712a93296291c286ed06900f8ebeb

      SHA256

      0fa4dc53198e184136acc95bde548678f0ee51189bc45ff25e2930051facf3f4

      SHA512

      501a60de90a67484adff15e2d25fe8416e24c7289ed2c6332f262b514833d66b4fa652a6d47a8e54cb921aba89417ba1e3e7ebc07933d873dd28bec0f5cb9d30

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_cinst.exe
      Filesize

      143KB

      MD5

      2fdb371d45181dff59577110ba1064e2

      SHA1

      42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

      SHA256

      80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

      SHA512

      52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

      Download Submit

    • C:\Windows\SysWOW64\Zombie.exe
      Filesize

      72KB

      MD5

      91d3e21ecb3b3a942d88fd8245383978

      SHA1

      5afa4c1f456a92adf42c0c1c3315402bd4d4bb1f

      SHA256

      70eed4d2d51eba4303cde9c9401931f960479473db7586caf3c5f13d5ff9cc93

      SHA512

      4386b5578c3c248c9809a4912bc560c8e4fe4924fb33eb04827132d1f8112d9c1a87a24353397b103b72aacaa94a7c74674ba992570ffefe5aa67bfa0db93e3e

      Download Submit

    • memory/2800-21-0x00000000006C0000-0x00000000006E8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2800-20-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4888-0-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4888-23-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download