Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

19362c9092...cs.exe

windows7-x64

7

19362c9092...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    19362c9092cf3bf6d32fbd9973264f10

  • SHA1

    e6185143bd2081220a80498289bb4864e614bfb8

  • SHA256

    770b0b9dc75dad954a5722f698dc3f16a82d06100f97d5fd02cfe4c9b02ffe12

  • SHA512

    fbb6c893971d54e79be857738e70a4d48e8cdf008d32582e262f7c095c5da304f5621168ad178c2fcdb7ec9719e585d99a1a74bcd677e91650b4ef47a277182f

  • SSDEEP

    384:5L7li/2zzeq2DcEQvdQcJKLTp/NK9xaiQ:JaMCQ9ciQ

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ukboq1jb\ukboq1jb.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BDA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc815F7335EDE5429FACA6B496861C6C9B.TMP"
        3⤵
          PID:2656
      • C:\Users\Admin\AppData\Local\Temp\tmp1A07.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1A07.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      35c3a7fee876a7e746615fe14a6f0462

      SHA1

      4ef22ef241d4fdc882a14d5a78f1396c41f73700

      SHA256

      7d911b903606a094bb0ae11e22df8d44c970cd4bfc9fcc875a2c5f644a1e4b20

      SHA512

      fcf0493ce1d5efa50cfc73674ee99db26af4a59d00d5b0036f863183e3d87d68943743c2d6d4c135e6c58fc9e2a342e0241a732066e94a07519bf37abcb0c76c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES1BDA.tmp
      Filesize

      1KB

      MD5

      58507d9198f5097ce4c6ee51ed5a8d7c

      SHA1

      cdf63eaec65ac2fa4345308d15b3ca5b0330b133

      SHA256

      219b990048dee40137380e19b0cf9821d0ff2f91e52bcb3a44d134a5f7806f49

      SHA512

      6eba46222fd263976cdb20c9c223c62a4a1bd7916b4c5dcaba6b913ab61cc8058be8b4c4d8accb50c54b459727f34460959d9b80fd75fd246ee0f574c2873ac8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1A07.tmp.exe
      Filesize

      12KB

      MD5

      81000feb29251c519edfa854899e0670

      SHA1

      fa9e5b86c559efdef72a1fcd51b4d023a3b4ac74

      SHA256

      c7cd22bfa0c5567a654cb3b7eef82468bbde6f107b903dd51b9fd8e2316aff5c

      SHA512

      61e1afc63b0f40ebfb96224468857887e0984bb40cfdc7830d611e2ca9cb86119e0675287802f21574f31e236aa8308339eedb091e0b37afb5fb40aeffc38724

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ukboq1jb\ukboq1jb.0.vb
      Filesize

      2KB

      MD5

      e5466f4dfca9625bcb733d4ce006581a

      SHA1

      2955acbf5fc00358712ad252020e9eb39df2d4b4

      SHA256

      c2cd07599b1e490bbd9ee349a846bc992b1e0cfca2475df556ced177b46dcbb7

      SHA512

      cf5bc3e0e4c43b274eadf58f0e4c9b5ac71f1f735fddbc6070ac7bcabb234dc01a8f925dbdb69014848491daa80210535dd7533f13988a742fb9feeab40bd3d2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ukboq1jb\ukboq1jb.cmdline
      Filesize

      273B

      MD5

      22d20a47ea1ca4c3479d51edb2f523d7

      SHA1

      43d9eb6c71f8aedcc7d7d38035e464dac559b682

      SHA256

      c9f5cc775bef199c2154a7d199ea4ca08cab534eda8a44b3de768e5bcdf4b5df

      SHA512

      22c4a7eb882efaeae3477d85862e89aaff15b8fb3da9809fdbd0b18c04b764688e1fbee5e6aab29f13df3ef77b61509e603b32483d85d3771e5f6852cbbf08e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc815F7335EDE5429FACA6B496861C6C9B.TMP
      Filesize

      1KB

      MD5

      1d04d81581d49371e38848e8086af4ac

      SHA1

      3f69eac195cf0f88beb6027d5fd3c5912f29d0fc

      SHA256

      e8463f9e039880e9e30801c62638fafc172d815485f3f628ccbb630f09ed99fe

      SHA512

      3ba35b3dbb4a56d59e9e9abbe242ed10fd299f6149e9f0b17236f4f4fb5168010e23af6575a6e5b1f709843217b2b51fed646892f189bc5932c6bfc64fa5df03

      Download Submit

    • memory/2828-24-0x0000000001070000-0x000000000107A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3020-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3020-1-0x0000000000150000-0x000000000015A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3020-7-0x0000000073F90000-0x000000007467E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3020-23-0x0000000073F90000-0x000000007467E000-memory.dmp

      Filesize

      6.9MB

      Download