Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
-
Size
12KB
-
MD5
514721b58189a2cb0132f06b1061f900
-
SHA1
2f55a861874e9e32990d9ee8ea86695ece396fa7
-
SHA256
55f4dcbe3a9fecf82f78ba628fb6375e0e800b7d04bae2bc8f78b220926f5c51
-
SHA512
f0fd4c584fd83d4442964fd556c383acdf436b790deda81fe5fcc5509c99c7e89995b03fc37e14b2ff74cba520de1e606d1b959dc247eca367b5bc58de2a39f3
-
SSDEEP
384:XL7li/2zsq2DcEQvdQcJKLTp/NK9xaAY:bYMCQ9cAY
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2612 tmpA084.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2612 tmpA084.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2188 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 28 PID 1932 wrote to memory of 2188 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 28 PID 1932 wrote to memory of 2188 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 28 PID 1932 wrote to memory of 2188 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2984 2188 vbc.exe 30 PID 2188 wrote to memory of 2984 2188 vbc.exe 30 PID 2188 wrote to memory of 2984 2188 vbc.exe 30 PID 2188 wrote to memory of 2984 2188 vbc.exe 30 PID 1932 wrote to memory of 2612 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 31 PID 1932 wrote to memory of 2612 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 31 PID 1932 wrote to memory of 2612 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 31 PID 1932 wrote to memory of 2612 1932 514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3p25ocp5\3p25ocp5.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA860.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4A2A210C2CD4A3C8BC8256F499734.TMP"3⤵PID:2984
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA084.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA084.tmp.exe" C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5951bbf616245ffe083632ae320104e82
SHA1be2b84820b70a3740342309f6d6413c34256179c
SHA2566f9aab0d12c289938ef61a7f8df1721981cc6276b7ae5f4185f00eddbafa4c8f
SHA5126d19f9475cec1687260efb46e335eadc8c5e0bd61f60cb48563895d5ce18b062730b8f10512ce9204f76382c0dbedaf663c9420aefaf1efe8ebc87331c483e41
-
Filesize
273B
MD53041a81507b779c59522b113bd67f955
SHA1aff3d432d08ab773c994c92dad1c4e4dfcdd4644
SHA2568030ddf34c5478ad294c4c4216c932ce70d1ac633ddbb1ba6e56e5bf7ba8287e
SHA512650642952b636ac134d4f031fce0c6013ffd704a1dc3a3663326cf1a9a3e8e7946210a16d69c29068e30b0b1111cf5e86e48e5a1e8f46dae862c66744156f771
-
Filesize
2KB
MD54a0ad59927914a24c2683d2e3d3d550c
SHA1a8c0ef86d7b4abc8738a7aa1d7f3492811cf47c4
SHA256cf78c81629dbbefbe8cb9940b3e1f5f88b97c7eb303613447be41c16e935e94e
SHA512db454db9d8d8ba2fc1953f89b8b911c2cc16d54ee7752b34741754c882ade0753b07742f73fb154c9a7384146c4f40d4e0917af4be16fc06ba53805df63fecbe
-
Filesize
1KB
MD52ce5aca724ae0a3b570f9d8eb6746a98
SHA1afe451c11c939577808455c0ce5ceaa9e30175d1
SHA256a65f5b6f5cf7899597a64fa8ff258c70292e0252afc04961a7da149ac1f61e12
SHA51223088864fba00a413dd2257e45c15f7006c0a478300c89dbc1510f6927f562b66d1a9851fd6c2e97c38bb03d003b5f532fa3f359072f042266e4b3be64865463
-
Filesize
12KB
MD5e49182b992236064a53a0eca217428f4
SHA19aff70fe1390aba67ccb7b6c0b0ab2013d9bb9e4
SHA256618bf71b54e371ea2aa86149b385be0b616180aad3c82c8ba6a6bedcff2c8e6f
SHA51200f1db79b183bb8a7d0bbc4c05dab55bd064b2f96c272cd3456cfa0fff162cc7b3ad9e138121968c42978ad937adb295a5b8c724351987018a0bbde0c9a63365
-
Filesize
1KB
MD5726fbf154a7707e26a64aa0f50fecea6
SHA1a3af96ae8d68a603be571ab1301e0a791f43bed5
SHA25613ee32e28b8a792e8e1088ba358f41a7dd0b2f1a59cfc606e631b85ef07f168a
SHA512836e1bce61ff22a6236f851d124f611fc137aae5b46ad1212ba6428ae71365a1fdfa100002663b274705c1b8e48e0508b4ffbb69aa6468734622e622f33a6a97