Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

74e406cc8c...cs.exe

windows7-x64

7

74e406cc8c...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    74e406cc8c6505f2e89b6a79edc20120

  • SHA1

    a9258120dfe7c2fb9907d8885e76a44b18053a9f

  • SHA256

    694a7e504e19fb661c77560ca28d2735f1207d60d33e4d657e3ee3fce21fd742

  • SHA512

    741534eb679d74ee130fce36eb4d37d73f556803da20033052f2b38dac8638b9280c5fcb8ab0e4259c4d1f6dfbb21eac7344dd59da9410dc32c226ca89248cae

  • SSDEEP

    384:SL7li/2zKq2DcEQvdhcJKLTp/NK9xafb:M6M/Q9cfb

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tacmdz00\tacmdz00.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC811E09DC0974F4A8AB69EB6FD7D1B12.TMP"
        3⤵
          PID:2672
      • C:\Users\Admin\AppData\Local\Temp\tmp24E0.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp24E0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\74e406cc8c6505f2e89b6a79edc20120_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      9ed16f53235b848172ef73479e3d1306

      SHA1

      7a770d5dd2e477f833fd26137127110acf6c7ef7

      SHA256

      d0a70943a30d5a24d6f01623b217af3a444b2355b5de910661a681db0c46e41f

      SHA512

      cb9b983b06cdc2590b21f7d821938ef03064facad67240628030e044fea2954f837949d49d47c76a19b1a5c0d419f1216de18beb55b563b93d6c728948ec1a73

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES26C2.tmp
      Filesize

      1KB

      MD5

      76046a92942406ffe96abec548a0570d

      SHA1

      93801f61f05ddaa40523edbdc4f73b4f12841d91

      SHA256

      dafbf5e28812016accbf37230d1a048135ac926fae0d7f270e7eb7a27f2c24f7

      SHA512

      eb1b78d927a4d2bfeeabec966bdef1b7c1a22b67e24ce2b0648c9a52ed2cb84845a87e82b4002663bd7f17ca94c2cd22908ef92a81c16e8e7f27dd5b787e47e5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tacmdz00\tacmdz00.0.vb
      Filesize

      2KB

      MD5

      68847e4fbd7b9e0a9d034104d59a9e38

      SHA1

      a096614ee5b039fdf4b46211143a674e18ccf08d

      SHA256

      581903c7a01356582ad8d12a0ef11da2d6a3cdc202beeba1149359c92a89d774

      SHA512

      97d1216d89da71d52fca5038afbaffd18342c2f1366719883d690c2fdb4f4ac8c89dbf180fbe0edb1c6b2cd731761221e783929773f6a31bae8e4a31c5281bf5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tacmdz00\tacmdz00.cmdline
      Filesize

      273B

      MD5

      dd7006860b4d6188cce8be24f4f99f7a

      SHA1

      5db0b6254b1596adca3ad0cd171ce94bdc8c2aa0

      SHA256

      df70c76b9441caa42eceabfb8be6975a9c98c7e631775c65e53f3ff2f1d35727

      SHA512

      6d26bb05d62ba262513cd4358450a427f868c556e53964772eedd37ffb15ddf188e6f8ec8a615b9cbc903b80d2311a216f229d842bb2b44515fa4d77641a1a56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp24E0.tmp.exe
      Filesize

      12KB

      MD5

      610d925ee688909c729b9925f1e41fba

      SHA1

      b20c464f3ccf360f6e5fab2a28f7cb731b694bc1

      SHA256

      5175ae55b670c3162f8457c2a253285cc70d64a96e1256ede43d803544ae4311

      SHA512

      f7eba9425518c5ca29c8f01290c836449dc907955ed9d9ec5752c6101a368ab47bd9fae6cc474df3ef30190a2d4a31160868fd1c825bc6f93c1a72284f441dda

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcC811E09DC0974F4A8AB69EB6FD7D1B12.TMP
      Filesize

      1KB

      MD5

      949274553908e33217ca9ee784ae0220

      SHA1

      28babe474c7f49865609ff17aaff1ef87e32efcd

      SHA256

      1d1b64229ce4336908b5e5bde34370192c56a15120001a550abdaceb04f69a91

      SHA512

      0c9715f28f1d18cfc6bfa1daff21a33e1f584528a08c2bdcf20134808de6851856c0186bb21d957cccc579a52bd905a1f93c3e6bc53ab18538651e5256f1e5c4

      Download Submit

    • memory/2432-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-1-0x0000000001390000-0x000000000139A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2432-7-0x00000000742A0000-0x000000007498E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2432-24-0x00000000742A0000-0x000000007498E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2724-23-0x0000000001060000-0x000000000106A000-memory.dmp

      Filesize

      40KB

      Download