Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 03:28
Static task
static1
Behavioral task
behavioral1
Sample
2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
2e7adf1d541f263e48978764067027b0
-
SHA1
626b0d6930094dc168c9f2da08d44080f2171dcc
-
SHA256
e9229d328373c8c01ad68ebf81f72fe64c7e93a1728f11d13e2e3ce90a68c2c0
-
SHA512
dd26b90a471a151bacaa99f5b6fb2316e23de7441f3c589ed62cfef35c331a1e0ea18f4f20ec7a72a5125168bc031b2b2d1713b178810245cfa08c1820a1942b
-
SSDEEP
384:RL7li/2zkq2DcEQvdQcJKLTp/NK9xaQb:RQMCQ9cQb
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2704 tmp92AF.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2704 tmp92AF.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1308 wrote to memory of 2920 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe 28 PID 1308 wrote to memory of 2920 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe 28 PID 1308 wrote to memory of 2920 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe 28 PID 1308 wrote to memory of 2920 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe 28 PID 2920 wrote to memory of 2724 2920 vbc.exe 30 PID 2920 wrote to memory of 2724 2920 vbc.exe 30 PID 2920 wrote to memory of 2724 2920 vbc.exe 30 PID 2920 wrote to memory of 2724 2920 vbc.exe 30 PID 1308 wrote to memory of 2704 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe 31 PID 1308 wrote to memory of 2704 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe 31 PID 1308 wrote to memory of 2704 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe 31 PID 1308 wrote to memory of 2704 1308 2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uitodacp\uitodacp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES977F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17DE3710DC5C4924A5F65538E24198D.TMP"3⤵PID:2724
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp92AF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp92AF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54b7e4b8f99ff6e92dd7a45250037373f
SHA11d5c1cfec0dfa7160748a4d208005a74d7557a68
SHA25638a5141fb78803eb8b2ab5ea1654d6add882ecf481e62f218a28e2d6e977906d
SHA5123bf714819a9a8336648f69538ffe8522ce77e2d3892864481a65b8916d47f64e1409001847798270065ddfdf9539328532b5f469b0f4dfd5dd1b82fa8dd7aac1
-
Filesize
1KB
MD5c14ba45fbebe3bd0600c86fdbe2e9765
SHA182291db19f75edb8dfa25820e6d5f6dd232aeddd
SHA256e4bb28a2516b3fa587dff0d4a55d6ba8ac7785e7aff8acb4ee0610868e8919b6
SHA512213bdd18c85c4e895859edde784bbfc1884e4fe441b5c474acdf9880f0444e88f978af7f8fd5d18515bd555b4e44712467587d8e75b3f614ee2032ffc04d7897
-
Filesize
12KB
MD56f9fd393cdb379b5254c4d7651d721f3
SHA1e85aa8fb4f3aa71988269067c80069d22321631c
SHA256066bc59472688d2df72e3400a90c8be34b3d992d137297fee94889c80e2944f6
SHA512cdb9aa69337395da514469fdc417cdf2df5a70b0e5dab73eb9f4845c1b704868d297e5179fdf603a6f013aaaa710f043ac2c169f99df80bc08ad57fd53b980e9
-
Filesize
2KB
MD5af5e8edeb95469d462d11d790857380e
SHA16172209cdd86f2fddca3f2bea8fe46ab55716224
SHA256aacb73763c3e7c117c5897923c5f4526a3b7cf00c46d7d936b93d7284c9aa661
SHA5120d27f7b213c7881add92cbd9ae3d600c11398cb019661aefcc0b6172de52ac2b621f46692d325915b2e721c701bd6df39079c99258894a1ac7f8c848bca40d47
-
Filesize
273B
MD5ac356e9e54d11a2c151b7086b5736500
SHA124bc7f767c02c9a67ed89a7359b9ad01e03bbd37
SHA25690fd8959174c15f67ca04f3dd238176afc5f984a506bae099eb9cabc62490f43
SHA512b63a09400d8f19ab19730049343eed15bde8bd324a84ef25ad323b849b7af109b3ad33243009897ffefaed13c0d7f137338be72f9f88d348653c543dd2632142
-
Filesize
1KB
MD533a25decc5830a1036de4b3715b4d29f
SHA127646b4f49357414cdd5df93e14e351a7a1d301e
SHA2562520be3616371d83bc5a74730facd3423d7cb28b60f503217088e423174afcda
SHA51223a8afa94b8776d2a565b7e649655085a8bbfeb06dd6775afeaa3b3c2ec78604d5851fb6927f9fcbf67c04d826f0d00838e60da2340a946caa1cfb9977abda91