Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

82c523c252...cs.exe

windows7-x64

7

82c523c252...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    82c523c25261a0bbbce7272235f51a30

  • SHA1

    c91470e8c9e0d56cd7c91709241c975d8b383456

  • SHA256

    2b916be356227dd894fc71f8640e86a6d2774df6b33784fdf5cbbb8446eb4629

  • SHA512

    84cdba36e647be462bd4b4f16c90ecd62a38841b93162e28152b8bd89fd2e920bc5f2441b976941d7582159103cfd4b08db366f39ac5bc569d205e8580d4fec2

  • SSDEEP

    384:kL7li/2zMq2DcEQvdQcJKLTp/NK9xaMc:ygMCQ9cMc

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3c44gcat\3c44gcat.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29DF5579A59940EA95DA7AC253F9FA48.TMP"
        3⤵
          PID:2636
      • C:\Users\Admin\AppData\Local\Temp\tmp283A.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp283A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\82c523c25261a0bbbce7272235f51a30_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3c44gcat\3c44gcat.0.vb
      Filesize

      2KB

      MD5

      17dc3866e5c144af82786d14ecf37c49

      SHA1

      68c9b55af1e6fbd40dcccd7da6e2cc3ec1fc2650

      SHA256

      983c809d09434d8acce7696bb385b255bc6791ff2b7cbc988ea8637c9a80cf75

      SHA512

      e60a2be0f1d4fc1b02cb32e55cf3cdc43e82fdadd9e3caac68b0abaa5c5e59b8e34ce7772da8b7d34fc7207c4e99157d38ef12b7f8ecff8393dd9474f8b575a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3c44gcat\3c44gcat.cmdline
      Filesize

      273B

      MD5

      4dc0736c7447f2c0066b799e7fb10ea6

      SHA1

      98e39cac448cdf21d91bd493d4625850d7d6bf7b

      SHA256

      3815cab1ed2c069f4d34d66c555bca691ce7f10af736364061cebdc406cacee9

      SHA512

      232c8bf856d387ee76db6d4c269dc9d3115325162c1ff4204abbc74b4e84710ee47d3649c9d6133d56e987fc0bbc348072b674fdd876082d34d5ba9be459b1ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      e56c3bb62965571dc5f5f3054a66ba0b

      SHA1

      08377d989355c38bbe9324872fa3c387c3489ec6

      SHA256

      5de637e686fa47f35bd068f70513a557cfdac59016d4f5491737e6d3af07da57

      SHA512

      fe3ad21d1ff9dedb0e117dfbd1d5ce405b722c3740f5733dbef30b655ad71383aeda3ec8aa87478b1c44a24b51ff8de83eb49b36e50b7260d4d4175530075fd6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES29A0.tmp
      Filesize

      1KB

      MD5

      f0ed254d091e02612f957618447fabe1

      SHA1

      8a24ba5714f720cbd3215a5e2105bb81dbb815f9

      SHA256

      bae14265377bfa5ca4bdcd667407229fb4ab8df5d7b622a069de7ff242f00ea8

      SHA512

      593d3e9b55643f6394ac9d83ca2d0890c2195a7384e0eff9c87cc2d4bb8b2bebb564e25420e89011bb02901be882ced2e04136c0ff19a92d28092eab70e533ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp283A.tmp.exe
      Filesize

      12KB

      MD5

      4b41ec6e93918d87816e2a176a82ffe6

      SHA1

      c62e7c1611f1d32d36186c2948a2772528829aa0

      SHA256

      0c00b787a09b60e3eb7c6a249f42e056bace573dfbe97654a5a8f135f2354073

      SHA512

      08657cdeb4d483a4dc86f3053096f1ce9454161445837de8faf4784dfad9adfe11d0c8f7b4543d148488e3cfa144a8ac1e411b13308d9ac4321de4fa5110290e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc29DF5579A59940EA95DA7AC253F9FA48.TMP
      Filesize

      1KB

      MD5

      94b0c13528c094703fe19ed6f742410e

      SHA1

      8b48dcc9b6b1176a3948c0b8db428e7aca40df3c

      SHA256

      8abe5da41c4f3a31dba92d7e321ccce1cd1196f5c63b70cde979a1080ec1f6c1

      SHA512

      b65d4b6cbfafa279c3874418ab3561e1fd017f28cc5d5c30576cdf294b10073230f9e1418383e8b9efce1c15268b47c35bfc14fac2bae9a11a48fd6efe8d2b09

      Download Submit

    • memory/1880-0-0x000000007423E000-0x000000007423F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-1-0x0000000000380000-0x000000000038A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1880-7-0x0000000074230000-0x000000007491E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1880-24-0x0000000074230000-0x000000007491E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2588-23-0x0000000000F10000-0x0000000000F1A000-memory.dmp

      Filesize

      40KB

      Download