Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

0f5abecd5d...cs.exe

windows7-x64

7

0f5abecd5d...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    0f5abecd5dfc00bbc09f7052f6405f30

  • SHA1

    251fb46678761cf1c29abdaebf5e616d3dfca8bc

  • SHA256

    e282d3607f5b07def18bbaa16c078baa000aef4eb3d48e615319c56761247993

  • SHA512

    093293378143fd640faa97a2249e63a63e183e2110f52350e30d18048554037c0271c6c25db2513a2909303c7a0b7ac51743bd74089aae22cc0523603904687d

  • SSDEEP

    384:HL7li/2zHq2DcEQvdhcJKLTp/NK9xa+c:rjM/Q9c+c

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\doylgiyp\doylgiyp.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9453.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF650768FDCC4156895824129C31AE3.TMP"
        3⤵
          PID:2640
      • C:\Users\Admin\AppData\Local\Temp\tmp8F65.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp8F65.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f5abecd5dfc00bbc09f7052f6405f30_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      0b6dc7e9722c5372b5401904b99b04a8

      SHA1

      da6fe540e9de4455216324d9f2de27b764ecf84e

      SHA256

      a00cf2c83b30798ab90e1d9e148fd11081c62e175b8233b9117412b0674a8aef

      SHA512

      15baef39de3564779acf3c6ebaeabb2bca5a40d52cbac0c6402730fc172f89487178bbd2556248c60f79f09f6eadcff71f555619e07681fd77815b7bbb17a04b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES9453.tmp
      Filesize

      1KB

      MD5

      1bf73a9e51efd12eea2ff11f9fc7ac53

      SHA1

      a449f6a44a8eeed1f2b549ce86f8059729224586

      SHA256

      380fd0962464ecb11b6f453706e61220d4e4dbc96419c28b420529cad8f5cf5c

      SHA512

      adcb4da23b2d8cfab595033c3131614842e730d9ecc9a1f69522fd32eaaa7cd0e91ff6ff4b092cfd794651537472a5ca3e13f9330cb8ec19da157733ca17c621

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\doylgiyp\doylgiyp.0.vb
      Filesize

      2KB

      MD5

      0bd436e762011ec463c4751f1a3412e0

      SHA1

      572f02663ba8b3b09ba91fccc793b3576c8841b6

      SHA256

      b09b3b98a667f38b42c8d8a16df3518bcd8add34270fdf1cd022c65a67db67f1

      SHA512

      1c85176f5ad52637e4a0f1927c0a50cda306d3e0c173b150b6b037b4f4999a2932a758c77eb8782dd355dc2a5f7287da55f54425d3e43b37c362b701e9b753df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\doylgiyp\doylgiyp.cmdline
      Filesize

      273B

      MD5

      e62a8c3387f55096b995751f3e071235

      SHA1

      d7c3aacd826c3a76fe4ec6faaba8f564a99057fb

      SHA256

      111bec4644877f9869914d6abfe0cb644efb2f1ef9480e1bef52b4f22f4813c0

      SHA512

      0f3e9d50d480ff19f8e3d64533500017486c9f2937e1f079d4b3c2358b1b251914be5ff0bb7f5ef695c226da3bd49c2cf8a8be4dcb0b4de5f60d93eccf4364f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp8F65.tmp.exe
      Filesize

      12KB

      MD5

      7970610cd857cbf579e5f75ef75fbbc3

      SHA1

      67b0d0e390e24cf5bf3d77e62fd120865174a34a

      SHA256

      f0ff7423480c409144dbd84fdd6f26d4bab4dc34e52510c8516b5b13bc3884a7

      SHA512

      f2a80aa8e53d78f808ca43390903556bd13a09031f7753a1d4570ae5130e9ae65fba11a5afbb65995e852c2673fb3a9033d290c321d3c4109c579b725d296d22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcAF650768FDCC4156895824129C31AE3.TMP
      Filesize

      1KB

      MD5

      c2a5f081c0614af2ab64ea0cca3f9360

      SHA1

      ff0e7fcf84d7774c78f6bb98d249a7e3a5f122c3

      SHA256

      d98c98ea725297e80f2bed47cf9e605ed282076fd4493baddae111a8a330030b

      SHA512

      a8947cd0e3916e74f799a654e21d6b36c8a96e9d1fa16f22443f1ecc7293cc9cf0a65430bba4ef47a7360d4e1de2f844d251becbc726c14700c5d74cf2a37cb6

      Download Submit

    • memory/2560-24-0x0000000000370000-0x000000000037A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2772-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2772-1-0x00000000013E0000-0x00000000013EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2772-6-0x0000000074A30000-0x000000007511E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2772-23-0x0000000074A30000-0x000000007511E000-memory.dmp

      Filesize

      6.9MB

      Download