Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

5c8d3638fc...cs.exe

windows7-x64

7

5c8d3638fc...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2024, 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    5c8d3638fc0e093018f422de7e703520

  • SHA1

    611d88790efba6f623d6520bce8949fccb069151

  • SHA256

    a5bd7f0cff464447aa29f3f4f3447db2268f7c76da17d88d33539841b8cf01f3

  • SHA512

    3d43673fbce20097dc22c4a51622175b4097753636cb121921c948fbf6b3d34572cddf984693692a5510ae2de5dca83c5a9f20daa71ed9eb3b94f3491f83f219

  • SSDEEP

    384:iL7li/2z0q2DcEQvdhcJKLTp/NK9xa4+:8YM/Q9c4+

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c4leg1r1\c4leg1r1.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AB67B9BFC5A46FD8ABC14D4D8C448A.TMP"
        3⤵
          PID:2564
      • C:\Users\Admin\AppData\Local\Temp\tmp7FDB.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp7FDB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      e358cce51112cded9ca862519874ac9f

      SHA1

      9bf3b210e5e9a866e3088a6d0b0854a231d40a98

      SHA256

      cc7223df1cf61d990cf269f0ff602ff54cfdee72c49ebe1a4482e04a782becf4

      SHA512

      dbb06aec2c25a40783f648322ab44af2c867f129d7502897d4e71aa28a3d493fe9ac27a7333d924a2e0b1776976286d80210ff2b23e4f4be739a76b082a43b7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES85E2.tmp
      Filesize

      1KB

      MD5

      fa1344a2d845a7a354c1f2fb8cd5eb04

      SHA1

      03b5a6245a79e907128ace43fa46b347b3421da3

      SHA256

      046b108c815d122c604cd3b0e98f6e54a3c4f867c50cec902e89fc2f877ce42e

      SHA512

      4d4253db309478cd8ee24445e6b8c40c7ac37daba40f5dc83af5d2404702ad97387f56e029627900c9a5599e583e008ee84add7c5ae86838b4380a320200c70a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c4leg1r1\c4leg1r1.0.vb
      Filesize

      2KB

      MD5

      05df6affd6480dd16113624408509d97

      SHA1

      36b3b67782376b702b78fbddb805b8e9874bfded

      SHA256

      c975f7febd0840868da219f5965aa72753725aa389e7d27636fdb7f4556e92e0

      SHA512

      9a6b66672ba04dc295ae5cf01579c7715500c36208d4f466efc89cc1f6a721b7dbed9e2f497510781695206d6d8b8e48d21722d656100acd7fcd49ac0c193fbc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c4leg1r1\c4leg1r1.cmdline
      Filesize

      273B

      MD5

      21cb808a9b81e50270618339c4a0410e

      SHA1

      e155bcc786dd971a15bde215530fb731de90310b

      SHA256

      3cea17e96594dd3d8ef32d5703737f07b28aa1eb740ef0258d2d93d3d861d564

      SHA512

      5638f0636e8073486c7be477fbdb2e6d677bac5117ba642144c6591ecc619e9a61b38f69ce10507e671806c5521ce3633fbea53057a4e0ea72b573a964d02a1e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp7FDB.tmp.exe
      Filesize

      12KB

      MD5

      a180b6ae9c15e2de6ced86435f253430

      SHA1

      5918427add141f69e18360b411791c3c86d5a83a

      SHA256

      592d1e29355c2fe0d2f23765df833c1d94bcd82549f170513f4723ae36f19f4a

      SHA512

      80be8a4b974d72be434d3201b60cd130abcf09c40dcad3c2cd95bb7f4a6853db284ff84952f634adf332732d9ea8bbabcedcbd3df0160130e92d1ad190ced33b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc7AB67B9BFC5A46FD8ABC14D4D8C448A.TMP
      Filesize

      1KB

      MD5

      76445249ab90c53c6cb6b439fc970e34

      SHA1

      60143c6c9e5225dacee9d370ad3d10116261a7b3

      SHA256

      d0f120429ce1fb160e7753fb4cde7287caf188d134bb5a9afff7a5c2e9635c04

      SHA512

      33320ca836a1bc3b23656c597723e8165202c49c6004740937e8d5b85ace7575cbcd56b448c05f3536fb299a3856fb4926b2daf14492b4df820eee88c3a9e5f2

      Download Submit

    • memory/2656-0-0x000000007465E000-0x000000007465F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2656-1-0x0000000000060000-0x000000000006A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2656-6-0x0000000074650000-0x0000000074D3E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2656-24-0x0000000074650000-0x0000000074D3E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2760-23-0x00000000013D0000-0x00000000013DA000-memory.dmp

      Filesize

      40KB

      Download