Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 13:16
Static task
static1
Behavioral task
behavioral1
Sample
182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
-
Size
12KB
-
MD5
182ef97364bb9b12f59442fa3997fa00
-
SHA1
5967673d4fab2ccfb0e0e1c3a9e7513bd7be4bd7
-
SHA256
803d6a9b843255fe332a86c44e4708ae2d0977ea8d94e1e09cfabd9d087ae3f7
-
SHA512
df22819d6cd19a341b8d2944403295218760312a9e25c2828464d4bb3f339047ce4fbddf72c16832f5faeb3e21bec54eb882e918a890360b7ec2076af5b459b0
-
SSDEEP
384:xL7li/2zgq2DcEQvdhcJKLTp/NK9xaNx:xkM/Q9cNx
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2620 tmp1279.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2620 tmp1279.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2756 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 28 PID 2396 wrote to memory of 2756 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 28 PID 2396 wrote to memory of 2756 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 28 PID 2396 wrote to memory of 2756 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 28 PID 2756 wrote to memory of 2656 2756 vbc.exe 30 PID 2756 wrote to memory of 2656 2756 vbc.exe 30 PID 2756 wrote to memory of 2656 2756 vbc.exe 30 PID 2756 wrote to memory of 2656 2756 vbc.exe 30 PID 2396 wrote to memory of 2620 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 31 PID 2396 wrote to memory of 2620 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 31 PID 2396 wrote to memory of 2620 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 31 PID 2396 wrote to memory of 2620 2396 182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ci0oipb2\ci0oipb2.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29585027F87D42BE915DA99EE2F979A.TMP"3⤵PID:2656
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1279.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1279.tmp.exe" C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD586f5808c2711df688ed2d4aefbc96f7f
SHA1fa414b3fac861ee1ff293b78dde357678c7777c6
SHA256ee1890c3bca3b17a85c0ed94a8a7a859823d4f7779c10edce5cdedbf44b80306
SHA5122bbbcde0623fe40969cd7d5a549176698ab8f45707956164a97cb233a2447e7675d3b1e6ab322087090e23a33169d2f3d6833e14b84d6cb0675c9f47e3058a96
-
Filesize
1KB
MD59999cfcbda8abdd9d3e292b24d493906
SHA1b39847423df4f90ba1c96be09c51cc6a1de5aeec
SHA256efe07466306eb3db5cf936831c9c263a39e996b9c6f202a490692a6c5606efb5
SHA512ff80977c42684c18a24e547a6f3bebdc0d019291b34b678aa11386b95ec1041740789500aae86037cad6ea4f8042ccf558e6ae70bcd8eb40c6e8cd1da456b970
-
Filesize
2KB
MD51949a02617d753a20356fba49b9c7d8a
SHA1380921a0ae1fc3f655a36ac873418b33fce3a50c
SHA256606edc0977533b99fc7ac56a8bc0fa309f5b6b5e3bbd12164142309d14bf4b4f
SHA512d16a3ff84e7f01cbce6f180f16def656719e7c58e0869a4502710ea9c0871cdb55304254ceeaeee2aa83bd6a71dd3eaa43063b14d5eea1e341f78128a89137d2
-
Filesize
273B
MD57145f94a602ff4025d4202d101ccd2bf
SHA111e19b05f0cdc01c09bd8ba8b10d29d5fb9f1ddc
SHA2562785f8e7eeb639eb310ebe867b472b5c97ddea7a4013c06de759edbddad78e9b
SHA512cfd3ab3eeac090e17b41d8187efbba47d2be756fb93c02c7fb4c82ef18db55826e411b3f9c39ab488fc596588fe791a21256d51f5534d4670cd6488ecceaf929
-
Filesize
12KB
MD5423e720245ada825e66a5869e5c3ea2b
SHA18b62cafc6fc5e2e38d2a7af943447f615ae3124e
SHA25691cab875be30fb7bfe1914ae7486fc43ebb4584f550fdf76cb5d7f4510bb0bbe
SHA5126c00e19e2d77c9d39c8840272773369dc88647c55050f038b7afc9bbb8bd480e67c202649f2d95f75c8c33a853c10c4a4f54fa530d0b981d7864d3ff404aa85a
-
Filesize
1KB
MD5e2f1ecc6efcc8cb529b05ea880d5a91a
SHA1f6f51a8ba4bbab95fe8b1a70d9b28b65e7f35433
SHA2562913753759d1a893330baf135565118068cd17bae47a67ab8788afd1ee481609
SHA512815ee7edbc2bba343a5fc372f9ef7f50891a78eff6b7d62483b8e33ac0fa412797f26347af8f95e62d20e227efa6afc231402e5420a1aecafcafa3ad52f7b2a8