Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2e7adf1d54...cs.exe

windows7-x64

7

2e7adf1d54...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 03:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    2e7adf1d541f263e48978764067027b0

  • SHA1

    626b0d6930094dc168c9f2da08d44080f2171dcc

  • SHA256

    e9229d328373c8c01ad68ebf81f72fe64c7e93a1728f11d13e2e3ce90a68c2c0

  • SHA512

    dd26b90a471a151bacaa99f5b6fb2316e23de7441f3c589ed62cfef35c331a1e0ea18f4f20ec7a72a5125168bc031b2b2d1713b178810245cfa08c1820a1942b

  • SSDEEP

    384:RL7li/2zkq2DcEQvdQcJKLTp/NK9xaQb:RQMCQ9cQb

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uitodacp\uitodacp.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES977F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17DE3710DC5C4924A5F65538E24198D.TMP"
        3⤵
          PID:2724
      • C:\Users\Admin\AppData\Local\Temp\tmp92AF.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp92AF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      4b7e4b8f99ff6e92dd7a45250037373f

      SHA1

      1d5c1cfec0dfa7160748a4d208005a74d7557a68

      SHA256

      38a5141fb78803eb8b2ab5ea1654d6add882ecf481e62f218a28e2d6e977906d

      SHA512

      3bf714819a9a8336648f69538ffe8522ce77e2d3892864481a65b8916d47f64e1409001847798270065ddfdf9539328532b5f469b0f4dfd5dd1b82fa8dd7aac1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES977F.tmp
      Filesize

      1KB

      MD5

      c14ba45fbebe3bd0600c86fdbe2e9765

      SHA1

      82291db19f75edb8dfa25820e6d5f6dd232aeddd

      SHA256

      e4bb28a2516b3fa587dff0d4a55d6ba8ac7785e7aff8acb4ee0610868e8919b6

      SHA512

      213bdd18c85c4e895859edde784bbfc1884e4fe441b5c474acdf9880f0444e88f978af7f8fd5d18515bd555b4e44712467587d8e75b3f614ee2032ffc04d7897

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp92AF.tmp.exe
      Filesize

      12KB

      MD5

      6f9fd393cdb379b5254c4d7651d721f3

      SHA1

      e85aa8fb4f3aa71988269067c80069d22321631c

      SHA256

      066bc59472688d2df72e3400a90c8be34b3d992d137297fee94889c80e2944f6

      SHA512

      cdb9aa69337395da514469fdc417cdf2df5a70b0e5dab73eb9f4845c1b704868d297e5179fdf603a6f013aaaa710f043ac2c169f99df80bc08ad57fd53b980e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\uitodacp\uitodacp.0.vb
      Filesize

      2KB

      MD5

      af5e8edeb95469d462d11d790857380e

      SHA1

      6172209cdd86f2fddca3f2bea8fe46ab55716224

      SHA256

      aacb73763c3e7c117c5897923c5f4526a3b7cf00c46d7d936b93d7284c9aa661

      SHA512

      0d27f7b213c7881add92cbd9ae3d600c11398cb019661aefcc0b6172de52ac2b621f46692d325915b2e721c701bd6df39079c99258894a1ac7f8c848bca40d47

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\uitodacp\uitodacp.cmdline
      Filesize

      273B

      MD5

      ac356e9e54d11a2c151b7086b5736500

      SHA1

      24bc7f767c02c9a67ed89a7359b9ad01e03bbd37

      SHA256

      90fd8959174c15f67ca04f3dd238176afc5f984a506bae099eb9cabc62490f43

      SHA512

      b63a09400d8f19ab19730049343eed15bde8bd324a84ef25ad323b849b7af109b3ad33243009897ffefaed13c0d7f137338be72f9f88d348653c543dd2632142

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc17DE3710DC5C4924A5F65538E24198D.TMP
      Filesize

      1KB

      MD5

      33a25decc5830a1036de4b3715b4d29f

      SHA1

      27646b4f49357414cdd5df93e14e351a7a1d301e

      SHA256

      2520be3616371d83bc5a74730facd3423d7cb28b60f503217088e423174afcda

      SHA512

      23a8afa94b8776d2a565b7e649655085a8bbfeb06dd6775afeaa3b3c2ec78604d5851fb6927f9fcbf67c04d826f0d00838e60da2340a946caa1cfb9977abda91

      Download Submit

    • memory/1308-0-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1308-1-0x0000000000B70000-0x0000000000B7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1308-6-0x0000000073DE0000-0x00000000744CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1308-24-0x0000000073DE0000-0x00000000744CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2704-23-0x0000000000A00000-0x0000000000A0A000-memory.dmp

      Filesize

      40KB

      Download