Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

60975a24d0...cs.exe

windows7-x64

7

60975a24d0...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    60975a24d0d5bca2ac9dbbb8670673a0

  • SHA1

    0dcde229be7c44eaf6d1bbb928d348069da35cc1

  • SHA256

    5863ab1c9f2e011e13b02536e160a75582f946e52af1f89311d8db68363b77fb

  • SHA512

    9488d131d4a0d2fc9ca647da392fff57efde85b578b7afe20a11fc36f1303c80f15978e9d9542604b5293fceaa42389792f674a63aa3248948bd2a93378b4398

  • SSDEEP

    384:fL7li/2zuq2DcEQvdQcJKLTp/NK9xaI1:T2MCQ9cI1

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\etfnjnna\etfnjnna.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES343A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C550EFE58824E54BD42ADB26FD3C925.TMP"
        3⤵
          PID:3000
      • C:\Users\Admin\AppData\Local\Temp\tmp3286.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp3286.tmp.exe" C:\Users\Admin\AppData\Local\Temp\60975a24d0d5bca2ac9dbbb8670673a0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      c99ccf195c608b29325f72c08267964b

      SHA1

      15bd43518bb0ccb387cb307e6b70476bb4a28830

      SHA256

      4b13c7d04ef0912857c2429f800057b172b4e13c3960ca5472290fc29beb864a

      SHA512

      44c0d9fd2a32e9dae29181b553363d2d6f30b22ffefe96f8086a17715c01869f55028df1b22d47b5d356791a943d3d026660c4857608d6badad2904350861f6a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES343A.tmp
      Filesize

      1KB

      MD5

      749f516545c4f863e7ada2b4b2857b71

      SHA1

      5cba70bf7ecf5514a61cecb63d8c0b7ea6a4af19

      SHA256

      652519f28abf2b82bf78957de21f480f6a1ef27fce3034a577688559dda05bc1

      SHA512

      945b1eda5b865b7066995dc80d200a89d812fb69c72a1a71c4a2775fe1086e232ef67295058bbe44541898e3547e6a059ec77111dc75a5091657601c7a091427

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\etfnjnna\etfnjnna.0.vb
      Filesize

      2KB

      MD5

      35a9e0ea11e8c067dd05d3d00e9384a7

      SHA1

      a8898ca687e59fbc3d0a35270a97ad787027b82b

      SHA256

      0cefa42381209989c88ddab453874ffb83d8dc9bef79e26a6ad3a6b25e704e69

      SHA512

      92006f8dccc435801a5e3d0ffa5997f04fe8fcffba34e1fc848b35cf7048a551e8e7fcadfee1ad7ff33448f280e0a72481650f569eec420d99ae90a3e8d12c7a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\etfnjnna\etfnjnna.cmdline
      Filesize

      273B

      MD5

      dc94745aee5ea69ea2bdd4b8f13ed53f

      SHA1

      a70e224687a8716c29a6af0b5f2f6fe211804e68

      SHA256

      4ba49d3f4bff54dd208d09240decbee75ba87e76fffab2309177e787c7f4ca67

      SHA512

      976d21a7596031585911ee78066b2aaad7409b344304658c75d67f045953883c7e32d52de22a2f504f99deb3f1b0d1e5eb6dd2d8649223cac1e9de515a6eaf55

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp3286.tmp.exe
      Filesize

      12KB

      MD5

      827f9be3229ad8e57b01924718cf0f9c

      SHA1

      ae38b238d040c78bc49c0804a4fbb3a12b406ffd

      SHA256

      99a2fb2ed86724d82a2ab9bf7c3cc2897c2d0681572468da2bc546cba19e95cd

      SHA512

      5714a1c632e8baf3325b6323af60effdd2a0f84cc60e61ad0adb29a2c7d5397dda53b90e312c6a60002b5a0b54068a5ad3110fc47030f89955ffabe3bb38b80d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc3C550EFE58824E54BD42ADB26FD3C925.TMP
      Filesize

      1KB

      MD5

      14483eb1cbab942fac1ab636db55424b

      SHA1

      aaf9dc9c7f5bf4c1683965f0d824cb2a7ff0671c

      SHA256

      3805744fb079b85d1f36dd53be92ca8556075ebbf4c695c517b2560288ce60ff

      SHA512

      5c961637f8efaa7d84e51f6a31c814a641d4a4a09c5324348147222acf7597c139c59ab125e24c9385204a82c828cac754f61e2bb055081f96b3f0a57d8a3aaf

      Download Submit

    • memory/2052-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-1-0x0000000000D80000-0x0000000000D8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2052-7-0x0000000074CF0000-0x00000000753DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2052-23-0x0000000074CF0000-0x00000000753DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2748-24-0x00000000013A0000-0x00000000013AA000-memory.dmp

      Filesize

      40KB

      Download