Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1de6fa7a84...cs.exe

windows7-x64

7

1de6fa7a84...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    1de6fa7a84e25a1df9d24bbd4a7ae9b0

  • SHA1

    96459fce9384be0e56af03f66d8338374397b10c

  • SHA256

    c5a3a0e9f1c4fb0e9861b3d03c9344d9bb54767f614a39647422ccdfa37d61a7

  • SHA512

    a902a921fd9cdcebe613f83478840e5fec3414fb3c17ce251f27af2f6bd2905ee2fbe2b1e0e29460c68cc125e7ef43dd63f09349311ebb7b969c000e616f012a

  • SSDEEP

    384:pL7li/2zaq2DcEQvdQcJKLTp/NK9xa8v:ZCMCQ9c8v

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d4gev221\d4gev221.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3830.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0C740F8697D4D64A62C44AF5AF22F4.TMP"
        3⤵
          PID:2260
      • C:\Users\Admin\AppData\Local\Temp\tmp367C.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp367C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1de6fa7a84e25a1df9d24bbd4a7ae9b0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      5981d3025336f9bf5ad7a02b143265fa

      SHA1

      2c07f5795b2a5136d60fe24d4744aa6ff2d363ba

      SHA256

      f6815050fe0b346d49d83220083c5d7161ebe50dc50f0bc40716230eb42cfe13

      SHA512

      2d543c6ee801b111fc8e7bdcf45a6fc92c199ffbea5431222c4174908609ea564c95ed555f36f3a5f7c914d1cd39a00926d018defb06a4b98b8aaae252e3d899

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES3830.tmp
      Filesize

      1KB

      MD5

      e015e1ad1cd9c48ae7541b1cf478af87

      SHA1

      35cb92223dc9c9a6b8aeeead5d5102a914f971ca

      SHA256

      6a909e69450febd2621f476f75b212d3e23c7e767bb29036677575e5177d1f0a

      SHA512

      c55c7394ddd7757215f198ae4e453465953a3989034165ef51e34d700ca8f8bce3eedca24da459af4e0a100c0832c4c6fd8827978ccfb6dc3b1aedae447c1f53

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\d4gev221\d4gev221.0.vb
      Filesize

      2KB

      MD5

      249c80630c3a438fe70c38f0c02952d4

      SHA1

      ce073e144701ddd0574d9f5da47a011650f94adc

      SHA256

      75f12ef403e3d974c43ba46fb16ad53d5beb19647651c598a8c47510edbb2393

      SHA512

      88e2e1f95a0dd16021627d363f429bca39d423ef88a58d75e8bafa028a31cf82e5dfa17071352b2382a5054fd0c70d7dcb7ca7dab84e2fbbc350eeeaa72771a4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\d4gev221\d4gev221.cmdline
      Filesize

      273B

      MD5

      4948f2f29a194c848173395c18648418

      SHA1

      5a2e153d211218b4c7697d0b4c4219d85e1d4331

      SHA256

      66ea52443e35660a621a830cb5d7dc29e282014bfd3c6266ed1557904e64e321

      SHA512

      4d2ba1df0a30505043120775abd2441fbee32a6b86cf240ead0f31935dd542be4a9f25076127124fd174116f4ad3deb2c6f0dc769e92b409a2bdb9a73a096dff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcF0C740F8697D4D64A62C44AF5AF22F4.TMP
      Filesize

      1KB

      MD5

      f3b2d59a816fbe2c348301aa3a481f8a

      SHA1

      75ec06bf3d48d2a1a7416b0c95afe3d99b112e7d

      SHA256

      5a425bf0613a97cc960e197c8bbadca686ae4a68ab3230fbf6c4cc49d16b39cd

      SHA512

      b735abf452c34993974bcfd392731b47e63d5f6e6a1000665a8ebdc6ee670ef3cf806f8edaed55c662944426ddc03d6f5d8728f93ecc88173a91d4bd48696f1d

      Download Submit

    • \Users\Admin\AppData\Local\Temp\tmp367C.tmp.exe
      Filesize

      12KB

      MD5

      aa43d1efeaaf72054c634f5d3904ca96

      SHA1

      dc14ba15b0807719da2c5da66b00cc8a2667134b

      SHA256

      2863e95dfece0e126eb70cb036d2a44fbaf732e93fec65621efe94d3cdad807e

      SHA512

      82234a7c5e15b4d2731f6c46e9d1e82d213ca58142a891e916cda71fc8dd3a11c4c454de10f33ae3ebe5ae5513e9c7a295be0335f9d4cc27158574bbb249a6ea

      Download Submit

    • memory/1684-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-1-0x0000000000E70000-0x0000000000E7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1684-7-0x00000000746B0000-0x0000000074D9E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1684-23-0x00000000746B0000-0x0000000074D9E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2732-24-0x0000000000180000-0x000000000018A000-memory.dmp

      Filesize

      40KB

      Download