Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 00:50
Static task
static1
Behavioral task
behavioral1
Sample
19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe
-
Size
12KB
-
MD5
19362c9092cf3bf6d32fbd9973264f10
-
SHA1
e6185143bd2081220a80498289bb4864e614bfb8
-
SHA256
770b0b9dc75dad954a5722f698dc3f16a82d06100f97d5fd02cfe4c9b02ffe12
-
SHA512
fbb6c893971d54e79be857738e70a4d48e8cdf008d32582e262f7c095c5da304f5621168ad178c2fcdb7ec9719e585d99a1a74bcd677e91650b4ef47a277182f
-
SSDEEP
384:5L7li/2zzeq2DcEQvdQcJKLTp/NK9xaiQ:JaMCQ9ciQ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2828 tmp1A07.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2828 tmp1A07.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2644 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe 28 PID 3020 wrote to memory of 2644 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe 28 PID 3020 wrote to memory of 2644 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe 28 PID 3020 wrote to memory of 2644 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe 28 PID 2644 wrote to memory of 2656 2644 vbc.exe 30 PID 2644 wrote to memory of 2656 2644 vbc.exe 30 PID 2644 wrote to memory of 2656 2644 vbc.exe 30 PID 2644 wrote to memory of 2656 2644 vbc.exe 30 PID 3020 wrote to memory of 2828 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe 31 PID 3020 wrote to memory of 2828 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe 31 PID 3020 wrote to memory of 2828 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe 31 PID 3020 wrote to memory of 2828 3020 19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ukboq1jb\ukboq1jb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BDA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc815F7335EDE5429FACA6B496861C6C9B.TMP"3⤵PID:2656
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1A07.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1A07.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19362c9092cf3bf6d32fbd9973264f10_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD535c3a7fee876a7e746615fe14a6f0462
SHA14ef22ef241d4fdc882a14d5a78f1396c41f73700
SHA2567d911b903606a094bb0ae11e22df8d44c970cd4bfc9fcc875a2c5f644a1e4b20
SHA512fcf0493ce1d5efa50cfc73674ee99db26af4a59d00d5b0036f863183e3d87d68943743c2d6d4c135e6c58fc9e2a342e0241a732066e94a07519bf37abcb0c76c
-
Filesize
1KB
MD558507d9198f5097ce4c6ee51ed5a8d7c
SHA1cdf63eaec65ac2fa4345308d15b3ca5b0330b133
SHA256219b990048dee40137380e19b0cf9821d0ff2f91e52bcb3a44d134a5f7806f49
SHA5126eba46222fd263976cdb20c9c223c62a4a1bd7916b4c5dcaba6b913ab61cc8058be8b4c4d8accb50c54b459727f34460959d9b80fd75fd246ee0f574c2873ac8
-
Filesize
12KB
MD581000feb29251c519edfa854899e0670
SHA1fa9e5b86c559efdef72a1fcd51b4d023a3b4ac74
SHA256c7cd22bfa0c5567a654cb3b7eef82468bbde6f107b903dd51b9fd8e2316aff5c
SHA51261e1afc63b0f40ebfb96224468857887e0984bb40cfdc7830d611e2ca9cb86119e0675287802f21574f31e236aa8308339eedb091e0b37afb5fb40aeffc38724
-
Filesize
2KB
MD5e5466f4dfca9625bcb733d4ce006581a
SHA12955acbf5fc00358712ad252020e9eb39df2d4b4
SHA256c2cd07599b1e490bbd9ee349a846bc992b1e0cfca2475df556ced177b46dcbb7
SHA512cf5bc3e0e4c43b274eadf58f0e4c9b5ac71f1f735fddbc6070ac7bcabb234dc01a8f925dbdb69014848491daa80210535dd7533f13988a742fb9feeab40bd3d2
-
Filesize
273B
MD522d20a47ea1ca4c3479d51edb2f523d7
SHA143d9eb6c71f8aedcc7d7d38035e464dac559b682
SHA256c9f5cc775bef199c2154a7d199ea4ca08cab534eda8a44b3de768e5bcdf4b5df
SHA51222c4a7eb882efaeae3477d85862e89aaff15b8fb3da9809fdbd0b18c04b764688e1fbee5e6aab29f13df3ef77b61509e603b32483d85d3771e5f6852cbbf08e2
-
Filesize
1KB
MD51d04d81581d49371e38848e8086af4ac
SHA13f69eac195cf0f88beb6027d5fd3c5912f29d0fc
SHA256e8463f9e039880e9e30801c62638fafc172d815485f3f628ccbb630f09ed99fe
SHA5123ba35b3dbb4a56d59e9e9abbe242ed10fd299f6149e9f0b17236f4f4fb5168010e23af6575a6e5b1f709843217b2b51fed646892f189bc5932c6bfc64fa5df03