Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

db9d44868f...cs.exe

windows7-x64

7

db9d44868f...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    db9d44868f38f3b02be940cf7300c1d0

  • SHA1

    3ae2233685f26a6997e986bdf1728962a01364e9

  • SHA256

    1a33ed5ee50b86dea6ac282a8ceea48ac6b92a9d573e56c944bb449ee8741e58

  • SHA512

    3f766eac26841590ca410a9c9a97b7badd0c4a7b7bb621b5393585bd5f67545cd194ca6a8d9d12c18ecf299230aeb5d8cad7dddbafecdaac91eef8ec5fba3336

  • SSDEEP

    384:5L7li/2zSq2DcEQvdhcJKLTp/NK9xarX:J6M/Q9crX

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vga2c31p\vga2c31p.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1890.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA2CB2EBC6A34F68AC85ACFF53963713.TMP"
        3⤵
          PID:2668
      • C:\Users\Admin\AppData\Local\Temp\tmp1640.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1640.tmp.exe" C:\Users\Admin\AppData\Local\Temp\db9d44868f38f3b02be940cf7300c1d0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      159c107fd08487bb3d3b18121ceab8c4

      SHA1

      bacf0634e95321c489fa9c04884f1a90696e07af

      SHA256

      5cfc2000d96e96a249f212e9b03c7d813906f983f3572879626f9faa684e1687

      SHA512

      b953a17ab8b5640bbbd1900083ac1a897f09d6522bff0952b4d55d5e9e8c1309d57dfe1093bd647630905d645dd2a246ff3444a40cccaa1fbc2ab324f843161d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES1890.tmp
      Filesize

      1KB

      MD5

      d25be24c14a87beb208b91e0a84c948b

      SHA1

      f4f749f87b7329bcec7da58d450783c2d8926919

      SHA256

      04b2161e81497358e1af1e7560d9eb56cd315864fdd467278b6661b3cdb8ad7f

      SHA512

      67209c48121930a0f8acc4e4f76f9e57e308c4b409c8a1df6a741da8b88e4cda071eced25b09128e154d2353b54f01719de677bca6738c83256f32674c9c626b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1640.tmp.exe
      Filesize

      12KB

      MD5

      3f3962f38d040e7f26d4128fdfea6e49

      SHA1

      9ec8751c2f3e2c54bf1ce5b5e0d11233b3dfb3b3

      SHA256

      59ea672b443d61ee6c10c363d648132bbe02de6ea3cba76e5b207689d1c1c3d8

      SHA512

      61a3001473d6a153cc1427819c207002e11d9c64735db7acf2426bc1b0032c5cd1650b76cca6db273d773fc7e5b45513014ce414c472b22bedc9b8d27874cb79

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcEA2CB2EBC6A34F68AC85ACFF53963713.TMP
      Filesize

      1KB

      MD5

      c81c426d9cc909692b76e5aa032b068f

      SHA1

      b4894e0eb838818360d44f32b92745c4d35b3a97

      SHA256

      9fbeddedd9526afa8058375a2f6053e671e5fb599bf5e816f19016e33a837378

      SHA512

      5722cefe2744306e91023ca5623f75a07ee2d412341d31d8f236236d1bd350bfcc48dc7c757340ffe0aebed77113041ec718e8cf85027095190db3cf0b87de93

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vga2c31p\vga2c31p.0.vb
      Filesize

      2KB

      MD5

      21303903aa90e227af6bbdae014152b5

      SHA1

      9dfab9828827d9370b8c65641e9b1b5b77a2e4c1

      SHA256

      9fd46c542828c6dccd0aec7bbccc4601515d7ba61a3974d91cd0570fc30e1d29

      SHA512

      fd8ad92637aaeee6233a023f1bb162455f984cd52d36f97e34eddfcb5ed3ab5abb45c2feceddc91638e63e408b1e88bf4987f4aaa4997f50df3e27d3a841d0a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vga2c31p\vga2c31p.cmdline
      Filesize

      273B

      MD5

      1a8834aefc6f925f3f2f31ad420827f7

      SHA1

      f0509150d89064b654ae056c50449b2d2efc7cdc

      SHA256

      b0114d849dc559778b353dba243feb2be9a378abd7ce6b85c2ff3e1310b51ad0

      SHA512

      25f3ebf1e54f662b176b0e3dd5a10d710f857bab0e0330e0f64b4886eb6d5c5c7d6ea6f33dd65b1516c954c53d010f9bc9be6fae1dee301b22579a5a1be5c1fd

      Download Submit

    • memory/2148-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2148-1-0x0000000000060000-0x000000000006A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2148-7-0x0000000073F80000-0x000000007466E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2148-24-0x0000000073F80000-0x000000007466E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2884-23-0x0000000001340000-0x000000000134A000-memory.dmp

      Filesize

      40KB

      Download