Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

514721b581...cs.exe

windows7-x64

7

514721b581...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    514721b58189a2cb0132f06b1061f900

  • SHA1

    2f55a861874e9e32990d9ee8ea86695ece396fa7

  • SHA256

    55f4dcbe3a9fecf82f78ba628fb6375e0e800b7d04bae2bc8f78b220926f5c51

  • SHA512

    f0fd4c584fd83d4442964fd556c383acdf436b790deda81fe5fcc5509c99c7e89995b03fc37e14b2ff74cba520de1e606d1b959dc247eca367b5bc58de2a39f3

  • SSDEEP

    384:XL7li/2zsq2DcEQvdQcJKLTp/NK9xaAY:bYMCQ9cAY

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3p25ocp5\3p25ocp5.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA860.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4A2A210C2CD4A3C8BC8256F499734.TMP"
        3⤵
          PID:2984
      • C:\Users\Admin\AppData\Local\Temp\tmpA084.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpA084.tmp.exe" C:\Users\Admin\AppData\Local\Temp\514721b58189a2cb0132f06b1061f900_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3p25ocp5\3p25ocp5.0.vb
      Filesize

      2KB

      MD5

      951bbf616245ffe083632ae320104e82

      SHA1

      be2b84820b70a3740342309f6d6413c34256179c

      SHA256

      6f9aab0d12c289938ef61a7f8df1721981cc6276b7ae5f4185f00eddbafa4c8f

      SHA512

      6d19f9475cec1687260efb46e335eadc8c5e0bd61f60cb48563895d5ce18b062730b8f10512ce9204f76382c0dbedaf663c9420aefaf1efe8ebc87331c483e41

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3p25ocp5\3p25ocp5.cmdline
      Filesize

      273B

      MD5

      3041a81507b779c59522b113bd67f955

      SHA1

      aff3d432d08ab773c994c92dad1c4e4dfcdd4644

      SHA256

      8030ddf34c5478ad294c4c4216c932ce70d1ac633ddbb1ba6e56e5bf7ba8287e

      SHA512

      650642952b636ac134d4f031fce0c6013ffd704a1dc3a3663326cf1a9a3e8e7946210a16d69c29068e30b0b1111cf5e86e48e5a1e8f46dae862c66744156f771

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      4a0ad59927914a24c2683d2e3d3d550c

      SHA1

      a8c0ef86d7b4abc8738a7aa1d7f3492811cf47c4

      SHA256

      cf78c81629dbbefbe8cb9940b3e1f5f88b97c7eb303613447be41c16e935e94e

      SHA512

      db454db9d8d8ba2fc1953f89b8b911c2cc16d54ee7752b34741754c882ade0753b07742f73fb154c9a7384146c4f40d4e0917af4be16fc06ba53805df63fecbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESA860.tmp
      Filesize

      1KB

      MD5

      2ce5aca724ae0a3b570f9d8eb6746a98

      SHA1

      afe451c11c939577808455c0ce5ceaa9e30175d1

      SHA256

      a65f5b6f5cf7899597a64fa8ff258c70292e0252afc04961a7da149ac1f61e12

      SHA512

      23088864fba00a413dd2257e45c15f7006c0a478300c89dbc1510f6927f562b66d1a9851fd6c2e97c38bb03d003b5f532fa3f359072f042266e4b3be64865463

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpA084.tmp.exe
      Filesize

      12KB

      MD5

      e49182b992236064a53a0eca217428f4

      SHA1

      9aff70fe1390aba67ccb7b6c0b0ab2013d9bb9e4

      SHA256

      618bf71b54e371ea2aa86149b385be0b616180aad3c82c8ba6a6bedcff2c8e6f

      SHA512

      00f1db79b183bb8a7d0bbc4c05dab55bd064b2f96c272cd3456cfa0fff162cc7b3ad9e138121968c42978ad937adb295a5b8c724351987018a0bbde0c9a63365

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcD4A2A210C2CD4A3C8BC8256F499734.TMP
      Filesize

      1KB

      MD5

      726fbf154a7707e26a64aa0f50fecea6

      SHA1

      a3af96ae8d68a603be571ab1301e0a791f43bed5

      SHA256

      13ee32e28b8a792e8e1088ba358f41a7dd0b2f1a59cfc606e631b85ef07f168a

      SHA512

      836e1bce61ff22a6236f851d124f611fc137aae5b46ad1212ba6428ae71365a1fdfa100002663b274705c1b8e48e0508b4ffbb69aa6468734622e622f33a6a97

      Download Submit

    • memory/1932-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-1-0x0000000000960000-0x000000000096A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1932-6-0x0000000073FF0000-0x00000000746DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1932-24-0x0000000073FF0000-0x00000000746DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2612-23-0x0000000000C60000-0x0000000000C6A000-memory.dmp

      Filesize

      40KB

      Download