Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
1de6fa7a84e25a1df9d24bbd4a7ae9b0
-
SHA1
96459fce9384be0e56af03f66d8338374397b10c
-
SHA256
c5a3a0e9f1c4fb0e9861b3d03c9344d9bb54767f614a39647422ccdfa37d61a7
-
SHA512
a902a921fd9cdcebe613f83478840e5fec3414fb3c17ce251f27af2f6bd2905ee2fbe2b1e0e29460c68cc125e7ef43dd63f09349311ebb7b969c000e616f012a
-
SSDEEP
384:pL7li/2zaq2DcEQvdQcJKLTp/NK9xa8v:ZCMCQ9c8v
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2732 tmp367C.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2732 tmp367C.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1196 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 28 PID 1684 wrote to memory of 1196 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 28 PID 1684 wrote to memory of 1196 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 28 PID 1684 wrote to memory of 1196 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 28 PID 1196 wrote to memory of 2260 1196 vbc.exe 30 PID 1196 wrote to memory of 2260 1196 vbc.exe 30 PID 1196 wrote to memory of 2260 1196 vbc.exe 30 PID 1196 wrote to memory of 2260 1196 vbc.exe 30 PID 1684 wrote to memory of 2732 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 31 PID 1684 wrote to memory of 2732 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 31 PID 1684 wrote to memory of 2732 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 31 PID 1684 wrote to memory of 2732 1684 1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d4gev221\d4gev221.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3830.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0C740F8697D4D64A62C44AF5AF22F4.TMP"3⤵PID:2260
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp367C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp367C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55981d3025336f9bf5ad7a02b143265fa
SHA12c07f5795b2a5136d60fe24d4744aa6ff2d363ba
SHA256f6815050fe0b346d49d83220083c5d7161ebe50dc50f0bc40716230eb42cfe13
SHA5122d543c6ee801b111fc8e7bdcf45a6fc92c199ffbea5431222c4174908609ea564c95ed555f36f3a5f7c914d1cd39a00926d018defb06a4b98b8aaae252e3d899
-
Filesize
1KB
MD5e015e1ad1cd9c48ae7541b1cf478af87
SHA135cb92223dc9c9a6b8aeeead5d5102a914f971ca
SHA2566a909e69450febd2621f476f75b212d3e23c7e767bb29036677575e5177d1f0a
SHA512c55c7394ddd7757215f198ae4e453465953a3989034165ef51e34d700ca8f8bce3eedca24da459af4e0a100c0832c4c6fd8827978ccfb6dc3b1aedae447c1f53
-
Filesize
2KB
MD5249c80630c3a438fe70c38f0c02952d4
SHA1ce073e144701ddd0574d9f5da47a011650f94adc
SHA25675f12ef403e3d974c43ba46fb16ad53d5beb19647651c598a8c47510edbb2393
SHA51288e2e1f95a0dd16021627d363f429bca39d423ef88a58d75e8bafa028a31cf82e5dfa17071352b2382a5054fd0c70d7dcb7ca7dab84e2fbbc350eeeaa72771a4
-
Filesize
273B
MD54948f2f29a194c848173395c18648418
SHA15a2e153d211218b4c7697d0b4c4219d85e1d4331
SHA25666ea52443e35660a621a830cb5d7dc29e282014bfd3c6266ed1557904e64e321
SHA5124d2ba1df0a30505043120775abd2441fbee32a6b86cf240ead0f31935dd542be4a9f25076127124fd174116f4ad3deb2c6f0dc769e92b409a2bdb9a73a096dff
-
Filesize
1KB
MD5f3b2d59a816fbe2c348301aa3a481f8a
SHA175ec06bf3d48d2a1a7416b0c95afe3d99b112e7d
SHA2565a425bf0613a97cc960e197c8bbadca686ae4a68ab3230fbf6c4cc49d16b39cd
SHA512b735abf452c34993974bcfd392731b47e63d5f6e6a1000665a8ebdc6ee670ef3cf806f8edaed55c662944426ddc03d6f5d8728f93ecc88173a91d4bd48696f1d
-
Filesize
12KB
MD5aa43d1efeaaf72054c634f5d3904ca96
SHA1dc14ba15b0807719da2c5da66b00cc8a2667134b
SHA2562863e95dfece0e126eb70cb036d2a44fbaf732e93fec65621efe94d3cdad807e
SHA51282234a7c5e15b4d2731f6c46e9d1e82d213ca58142a891e916cda71fc8dd3a11c4c454de10f33ae3ebe5ae5513e9c7a295be0335f9d4cc27158574bbb249a6ea