Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 00:31
Static task
static1
Behavioral task
behavioral1
Sample
5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe
-
Size
12KB
-
MD5
5c8d3638fc0e093018f422de7e703520
-
SHA1
611d88790efba6f623d6520bce8949fccb069151
-
SHA256
a5bd7f0cff464447aa29f3f4f3447db2268f7c76da17d88d33539841b8cf01f3
-
SHA512
3d43673fbce20097dc22c4a51622175b4097753636cb121921c948fbf6b3d34572cddf984693692a5510ae2de5dca83c5a9f20daa71ed9eb3b94f3491f83f219
-
SSDEEP
384:iL7li/2z0q2DcEQvdhcJKLTp/NK9xa4+:8YM/Q9c4+
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2760 tmp7FDB.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2760 tmp7FDB.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2960 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe 28 PID 2656 wrote to memory of 2960 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe 28 PID 2656 wrote to memory of 2960 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe 28 PID 2656 wrote to memory of 2960 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe 28 PID 2960 wrote to memory of 2564 2960 vbc.exe 30 PID 2960 wrote to memory of 2564 2960 vbc.exe 30 PID 2960 wrote to memory of 2564 2960 vbc.exe 30 PID 2960 wrote to memory of 2564 2960 vbc.exe 30 PID 2656 wrote to memory of 2760 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe 31 PID 2656 wrote to memory of 2760 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe 31 PID 2656 wrote to memory of 2760 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe 31 PID 2656 wrote to memory of 2760 2656 5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c4leg1r1\c4leg1r1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AB67B9BFC5A46FD8ABC14D4D8C448A.TMP"3⤵PID:2564
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7FDB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7FDB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5c8d3638fc0e093018f422de7e703520_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e358cce51112cded9ca862519874ac9f
SHA19bf3b210e5e9a866e3088a6d0b0854a231d40a98
SHA256cc7223df1cf61d990cf269f0ff602ff54cfdee72c49ebe1a4482e04a782becf4
SHA512dbb06aec2c25a40783f648322ab44af2c867f129d7502897d4e71aa28a3d493fe9ac27a7333d924a2e0b1776976286d80210ff2b23e4f4be739a76b082a43b7f
-
Filesize
1KB
MD5fa1344a2d845a7a354c1f2fb8cd5eb04
SHA103b5a6245a79e907128ace43fa46b347b3421da3
SHA256046b108c815d122c604cd3b0e98f6e54a3c4f867c50cec902e89fc2f877ce42e
SHA5124d4253db309478cd8ee24445e6b8c40c7ac37daba40f5dc83af5d2404702ad97387f56e029627900c9a5599e583e008ee84add7c5ae86838b4380a320200c70a
-
Filesize
2KB
MD505df6affd6480dd16113624408509d97
SHA136b3b67782376b702b78fbddb805b8e9874bfded
SHA256c975f7febd0840868da219f5965aa72753725aa389e7d27636fdb7f4556e92e0
SHA5129a6b66672ba04dc295ae5cf01579c7715500c36208d4f466efc89cc1f6a721b7dbed9e2f497510781695206d6d8b8e48d21722d656100acd7fcd49ac0c193fbc
-
Filesize
273B
MD521cb808a9b81e50270618339c4a0410e
SHA1e155bcc786dd971a15bde215530fb731de90310b
SHA2563cea17e96594dd3d8ef32d5703737f07b28aa1eb740ef0258d2d93d3d861d564
SHA5125638f0636e8073486c7be477fbdb2e6d677bac5117ba642144c6591ecc619e9a61b38f69ce10507e671806c5521ce3633fbea53057a4e0ea72b573a964d02a1e
-
Filesize
12KB
MD5a180b6ae9c15e2de6ced86435f253430
SHA15918427add141f69e18360b411791c3c86d5a83a
SHA256592d1e29355c2fe0d2f23765df833c1d94bcd82549f170513f4723ae36f19f4a
SHA51280be8a4b974d72be434d3201b60cd130abcf09c40dcad3c2cd95bb7f4a6853db284ff84952f634adf332732d9ea8bbabcedcbd3df0160130e92d1ad190ced33b
-
Filesize
1KB
MD576445249ab90c53c6cb6b439fc970e34
SHA160143c6c9e5225dacee9d370ad3d10116261a7b3
SHA256d0f120429ce1fb160e7753fb4cde7287caf188d134bb5a9afff7a5c2e9635c04
SHA51233320ca836a1bc3b23656c597723e8165202c49c6004740937e8d5b85ace7575cbcd56b448c05f3536fb299a3856fb4926b2daf14492b4df820eee88c3a9e5f2