Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

182ef97364...cs.exe

windows7-x64

7

182ef97364...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    182ef97364bb9b12f59442fa3997fa00

  • SHA1

    5967673d4fab2ccfb0e0e1c3a9e7513bd7be4bd7

  • SHA256

    803d6a9b843255fe332a86c44e4708ae2d0977ea8d94e1e09cfabd9d087ae3f7

  • SHA512

    df22819d6cd19a341b8d2944403295218760312a9e25c2828464d4bb3f339047ce4fbddf72c16832f5faeb3e21bec54eb882e918a890360b7ec2076af5b459b0

  • SSDEEP

    384:xL7li/2zgq2DcEQvdhcJKLTp/NK9xaNx:xkM/Q9cNx

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ci0oipb2\ci0oipb2.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29585027F87D42BE915DA99EE2F979A.TMP"
        3⤵
          PID:2656
      • C:\Users\Admin\AppData\Local\Temp\tmp1279.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1279.tmp.exe" C:\Users\Admin\AppData\Local\Temp\182ef97364bb9b12f59442fa3997fa00_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      86f5808c2711df688ed2d4aefbc96f7f

      SHA1

      fa414b3fac861ee1ff293b78dde357678c7777c6

      SHA256

      ee1890c3bca3b17a85c0ed94a8a7a859823d4f7779c10edce5cdedbf44b80306

      SHA512

      2bbbcde0623fe40969cd7d5a549176698ab8f45707956164a97cb233a2447e7675d3b1e6ab322087090e23a33169d2f3d6833e14b84d6cb0675c9f47e3058a96

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp
      Filesize

      1KB

      MD5

      9999cfcbda8abdd9d3e292b24d493906

      SHA1

      b39847423df4f90ba1c96be09c51cc6a1de5aeec

      SHA256

      efe07466306eb3db5cf936831c9c263a39e996b9c6f202a490692a6c5606efb5

      SHA512

      ff80977c42684c18a24e547a6f3bebdc0d019291b34b678aa11386b95ec1041740789500aae86037cad6ea4f8042ccf558e6ae70bcd8eb40c6e8cd1da456b970

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ci0oipb2\ci0oipb2.0.vb
      Filesize

      2KB

      MD5

      1949a02617d753a20356fba49b9c7d8a

      SHA1

      380921a0ae1fc3f655a36ac873418b33fce3a50c

      SHA256

      606edc0977533b99fc7ac56a8bc0fa309f5b6b5e3bbd12164142309d14bf4b4f

      SHA512

      d16a3ff84e7f01cbce6f180f16def656719e7c58e0869a4502710ea9c0871cdb55304254ceeaeee2aa83bd6a71dd3eaa43063b14d5eea1e341f78128a89137d2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ci0oipb2\ci0oipb2.cmdline
      Filesize

      273B

      MD5

      7145f94a602ff4025d4202d101ccd2bf

      SHA1

      11e19b05f0cdc01c09bd8ba8b10d29d5fb9f1ddc

      SHA256

      2785f8e7eeb639eb310ebe867b472b5c97ddea7a4013c06de759edbddad78e9b

      SHA512

      cfd3ab3eeac090e17b41d8187efbba47d2be756fb93c02c7fb4c82ef18db55826e411b3f9c39ab488fc596588fe791a21256d51f5534d4670cd6488ecceaf929

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1279.tmp.exe
      Filesize

      12KB

      MD5

      423e720245ada825e66a5869e5c3ea2b

      SHA1

      8b62cafc6fc5e2e38d2a7af943447f615ae3124e

      SHA256

      91cab875be30fb7bfe1914ae7486fc43ebb4584f550fdf76cb5d7f4510bb0bbe

      SHA512

      6c00e19e2d77c9d39c8840272773369dc88647c55050f038b7afc9bbb8bd480e67c202649f2d95f75c8c33a853c10c4a4f54fa530d0b981d7864d3ff404aa85a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc29585027F87D42BE915DA99EE2F979A.TMP
      Filesize

      1KB

      MD5

      e2f1ecc6efcc8cb529b05ea880d5a91a

      SHA1

      f6f51a8ba4bbab95fe8b1a70d9b28b65e7f35433

      SHA256

      2913753759d1a893330baf135565118068cd17bae47a67ab8788afd1ee481609

      SHA512

      815ee7edbc2bba343a5fc372f9ef7f50891a78eff6b7d62483b8e33ac0fa412797f26347af8f95e62d20e227efa6afc231402e5420a1aecafcafa3ad52f7b2a8

      Download Submit

    • memory/2396-0-0x000000007491E000-0x000000007491F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2396-1-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2396-7-0x0000000074910000-0x0000000074FFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2396-24-0x0000000074910000-0x0000000074FFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2620-23-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

      Filesize

      40KB

      Download