Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

426c6e1b1c...cs.exe

windows7-x64

7

426c6e1b1c...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    426c6e1b1cdf078fe14dc121725beb90

  • SHA1

    68ae76e5c5fc76875d82f4c94a57614b374fd4fd

  • SHA256

    24a8cd8aea3c786a001cae6c907bd85a707e25d8f04cb36bd27fc34e18f30f7f

  • SHA512

    c56c4e8059e95ecc5428b718fdbeb3104bb8477f6287d7f0150adee9f65946bb8b369dd7e84814a174423651b8f7d2c410a13fcc8a61b20a448ea5006098e99e

  • SSDEEP

    384:5L7li/2zYq2DcEQvdhcJKLTp/NK9xawc:JkM/Q9cwc

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oldotldm\oldotldm.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD03F03348F430E933DD9715CB88156.TMP"
        3⤵
          PID:2092
      • C:\Users\Admin\AppData\Local\Temp\tmpB19.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpB19.tmp.exe" C:\Users\Admin\AppData\Local\Temp\426c6e1b1cdf078fe14dc121725beb90_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      5a479f1c7e8ab9c694320a47d287a5c3

      SHA1

      4cfb0a0d61acac5ed4f4205e3a6881c9a05a1543

      SHA256

      9092cd07f379cb3876f46abcca77572294328942df0e3621474af543a005523d

      SHA512

      3bdd0c2deba15d273bc86c4d3b60fd488d216034302ac747e34b7c7de9174417742902ba913e136bee99b5595cd5a68b17d7b7f6f79ce8b41740300b911edec9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESCAE.tmp
      Filesize

      1KB

      MD5

      1af807dde18a4924393e8554d6302d7c

      SHA1

      a6c7362d6cdd325eb987c25d4e3d3957442e3ccd

      SHA256

      55e9410ef433e4c157150378a5ba8d88b3a22338b1923ee35b548414ddf42798

      SHA512

      b026699672817564588f89eb4fe5daa2b1612e9c4d34a4067e98a7dfefa0c1dddb6e2017f77bac98f22487819edea210b9fce2c78cac583695086bb093e9fefb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\oldotldm\oldotldm.0.vb
      Filesize

      2KB

      MD5

      0efbb8a33fb6872c0eecfae5cc5ebbcd

      SHA1

      7aff65935f9e83e931dc02ff29b992f2b9189f85

      SHA256

      e3d8e0bb8883076876555d521c9abe4cf0936277dc3c9d1d49eaaa72490f5dea

      SHA512

      d7e1f9296b5eb9b1b017aa1e91b877763c2b2fd59c44dc9dc97d07615fec04f42be1796da5a352f945ea2d7f750c3f31656e5c3d4e625dd952789cdc33e38ebd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\oldotldm\oldotldm.cmdline
      Filesize

      272B

      MD5

      5e05bea141a306c6331e5b7e83a73e14

      SHA1

      0182f72ce52f06beef10581a4fbc57a8b59f4ee6

      SHA256

      b496904d29c4aca145fba86ef0336cee0e68c63aff88a3f63af8c9bd680f4fd3

      SHA512

      a9ab07690d705c544f45a14c356edeb5313f4239051df8a3e955319fe75d15a7500b48262f9553974344d131cc00b934c60c30b35711eaf17f9cd0e6cdbfdee1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpB19.tmp.exe
      Filesize

      12KB

      MD5

      552d31a3aaefd07ed2d5f68178e869fc

      SHA1

      039aeefdaa237766db8c9b9f4a10d63f43c3c9f6

      SHA256

      2129b349475a6849d2f288febe1b7f1e9a93c6ceaf9bfa7b0479ea052bf4288e

      SHA512

      51fa1dd3f81196f300450ba79a375bcc2b8e649cd2aeb8e21d7fd0054904bd74d28530c540cc26c15b845609a8aea35074671e24cbe18a7210354582ad2014fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcD03F03348F430E933DD9715CB88156.TMP
      Filesize

      1KB

      MD5

      a2b9862e1dee9f42de6edd1feb356382

      SHA1

      598e2c187c5153e9c01ac27c48f0142283ac82db

      SHA256

      6998ad12847fb900c16ae7f0eba40bba66e5918e4177845360fad31e1266fb7d

      SHA512

      b60b0a31bdb1bebaf5b0792bda3c3ee13d2c47b9040f4a960b050e204bed3519a995be35fe36521e08bf75b7f0e7023e03300b8581aabe49b8af2a6e4c6c4793

      Download Submit

    • memory/952-0-0x000000007481E000-0x000000007481F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/952-1-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/952-7-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/952-24-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2596-23-0x0000000001050000-0x000000000105A000-memory.dmp

      Filesize

      40KB

      Download