Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3e43977226...cs.exe

windows7-x64

7

3e43977226...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    3e439772261bc91cc430e15cfe5ca2f0

  • SHA1

    869ef60e1227083740fdb0a7b94d79a417cb0d2d

  • SHA256

    684289abd865c137a1356368db6e5f5760bd46789b0783324af6f8461dae986f

  • SHA512

    541eeaffa2a3e7275ab69125d3a428734d29e35969adf2b774cf0721bf6b96191b18811c08dafff2722fc6b6480723d02f59237431bf9288cba4e1fec2d76a71

  • SSDEEP

    384:/L7li/2zzq2DcEQvdQcJKLTp/NK9xay3:zvMCQ9cy3

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aempjprg\aempjprg.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8527.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61EB35ABD3654FBBB05AE13AE8CD3FE2.TMP"
        3⤵
          PID:2560
      • C:\Users\Admin\AppData\Local\Temp\tmp80E4.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp80E4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3e439772261bc91cc430e15cfe5ca2f0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      506cf4c3b41ebe8e77ad73202ae0d2f0

      SHA1

      d751feb1e242e9f14cc09a33b32eac5ad8223c28

      SHA256

      b898f5e3b7882a801b0e3fd151214db6f0f5a715468edf3ab461c3fc44386461

      SHA512

      2a6dfd8fb3ffc2b891849c64f260c0845e277986caf2c7595b544263ce949ab3ea8d420bcb542f4c508a243a62fb69fa66053c3390bd01ac2d2e6de36390c909

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES8527.tmp
      Filesize

      1KB

      MD5

      092b005b7f01700f569e387bbd419197

      SHA1

      1de73879f3885b63fc65d1f95547f484db090c4b

      SHA256

      7a659838e08aca73e15ed362bb3be7e32c1981967dd52bcbdde6ff8cd2a5ef30

      SHA512

      816efe56428f33869f79112d14911e9c3004b22783475344e0e766e898c7845ed498a62f9d73af48c73644500efecce1551f7a82be5e83625b05965873872e25

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aempjprg\aempjprg.0.vb
      Filesize

      2KB

      MD5

      f2745c51266a82d3230eaa9f3e0d65c8

      SHA1

      56ee8593005131924bbff400d28eb0a684621cce

      SHA256

      fdffd7a0cbd3d21100ce3fbcee8f9bc82a9518a731822933d7854ba50750de3a

      SHA512

      8b4155f897b45175421e4e4c0200a50a1264c5e33364b3ac3a4db60eacd38430faddc42037afcc5abe437e837363b35bd0bbc45afc59acb3ac2418417baa67df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aempjprg\aempjprg.cmdline
      Filesize

      273B

      MD5

      9da12104faca8be7c23ba1a7bfcd0fdf

      SHA1

      c18cbd8485ee9e6bb5eef8ef5754735cf8b3bfe8

      SHA256

      2a4d4ad83862d133613f858814bd93efca08489a17882590481da60a5da1ded6

      SHA512

      d4cdc988a99a299e2631d48a5b200a87a1d350ad4d14866d8a594cc387b4691c95e7d481ac829c482b2b49d6a51411285ecd56e4e3ed048b24dbda57cae09cdc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp80E4.tmp.exe
      Filesize

      12KB

      MD5

      47f4ec960a0d40bed4c077fcc0362950

      SHA1

      e3dfe4ffff5052bc3d8de7ff70733146b6cc46b7

      SHA256

      a2f69cf0e932d74242309ff9f22ea6fd7806a92e5c822c8c26c43830b5328085

      SHA512

      d48610ca2df8e91a861b40b0e1ce84cd6d9b465dcaad4639efc3c140b74f05308e99334f51668f9f2586d9f1d02a13347485e4764ab5360eeba062deeb069aa0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc61EB35ABD3654FBBB05AE13AE8CD3FE2.TMP
      Filesize

      1KB

      MD5

      cea60e700477cafc190e318dbe045383

      SHA1

      3e82035d77f770ba71039ea94ca83b8ed7555908

      SHA256

      3df2ac2e674aa75d375ec0219850035002b42ab86ff8b6a8e1e7b0b49c167919

      SHA512

      b0084454055cd5e17f309b092df500283a53351789737917bf5f1309b672f142cd90183b892e8d8134fbb70526f9794ecbbc01d3b81baa100542302f64067b50

      Download Submit

    • memory/2244-0-0x000000007486E000-0x000000007486F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2244-1-0x0000000001260000-0x000000000126A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2244-6-0x0000000074860000-0x0000000074F4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2244-24-0x0000000074860000-0x0000000074F4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2540-23-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

      Filesize

      40KB

      Download