Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4e0ac92347...cs.exe

windows7-x64

7

4e0ac92347...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    4e0ac92347b930531fa7cce4144b5600

  • SHA1

    f96cba060a83722e90cec4ef58cccd63b25277ae

  • SHA256

    398deb4ed694c71ca48f6fb70cd669e6743f64acf8d1d7ad4bcc9bd095549f76

  • SHA512

    b55a040d1f4f3ee6aecbd0ffd867d39396b4f2d36c30156352b0e4328683f39430621cdc889684b3db6fdafcef82cf1cee50541a7caf799a25967d131a117422

  • SSDEEP

    384:OL7li/2z7q2DcEQvdhcJKLTp/NK9xahK:YHM/Q9chK

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thsxfmlc\thsxfmlc.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1268.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA19970A548F641318FDBE225B71E45D8.TMP"
        3⤵
          PID:2652
      • C:\Users\Admin\AppData\Local\Temp\tmp1150.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1150.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4e0ac92347b930531fa7cce4144b5600_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      291ce671e59dd15cd582a80bf5f766c0

      SHA1

      90a82ccfed533d1fdbc118e9706bb8eac1c5cdd8

      SHA256

      a9226b442476c16fb6224c02d6e88578f4f415db61355381fcc12c702217e253

      SHA512

      c2c55b7501910dbf2af09a0e7e4349b40728709151c5e645b158e1d7ec9f29251cabd9ff71c62a6b79c8690c7bb73e2cb086d6f896f21a67a62bce293a590997

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES1268.tmp
      Filesize

      1KB

      MD5

      31b170e0527ce7bbdbe0295ac769ff0b

      SHA1

      6f84bff1ff11d8a5e72b155e208174f9b5d93df9

      SHA256

      85194dc449aa52f2097ddf707bbd88b2343e51c524721e544199262a1f26f06d

      SHA512

      eba4cc6c4dbf21a85ebb42c8af8690d7587ff5b26d9ba134b029ef65cf4855cf3a47692b99000e9dbf9545fbff993a1e4c06c6fb65e595f814c3b5e06f8eaa1a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\thsxfmlc\thsxfmlc.0.vb
      Filesize

      2KB

      MD5

      c8dbd612fdbaf98e936d6940e4fb9d08

      SHA1

      187b6e0f04ce21596e707486b204ac489e26e785

      SHA256

      9a3b20fdedf220e1a40fe1fffb3ab1b37e1f19bd4b4fc08c363f86f7e328db04

      SHA512

      c5489088f399b2eba801c4efe85b4961dccf4b48fda22ea83a9edd80c6977f6e7899fa613a05d84f0b49b2ddfcbf1bc4244d1ebe0b0d1f3db69f782add606cf1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\thsxfmlc\thsxfmlc.cmdline
      Filesize

      273B

      MD5

      264baf5f7a5c19481435d624faaee45a

      SHA1

      e4b82d02efcd0d85455e9da0b683c49c0a9e85af

      SHA256

      b94f695bdf7aeba291e8d4dde37c51588f5ae3d944f645903c86feca9b9fe56a

      SHA512

      8e2781f1414c9ee36817cbb917c678cbd6e9eefa0a3686b85979a383e4488935e144322a810a7dd0b11baadd985d9fbc429232c630a9e7573880b7321e204c30

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1150.tmp.exe
      Filesize

      12KB

      MD5

      9e8c009ef615a54828a6bdcfc9c58b4f

      SHA1

      74348a60362f837bb48adab793057523043bf1eb

      SHA256

      829368fa2e48b2b034f08d58f3034d54a9b12450ecfb5fe1fd07b3422e8a7725

      SHA512

      cbacdc0868c74a0ad53a669916bb4e85ef0fedae877fbb7c0eb7672023eee5fba03c8b5e637da7d32a897fe7b98a749871f81544623ded68512b7893cfc6e8d3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcA19970A548F641318FDBE225B71E45D8.TMP
      Filesize

      1KB

      MD5

      dc4b8d127765cb0687ede97fcecd307a

      SHA1

      027ae16f4ca62cd2ea5c0a63d1fdbafa0f8d578d

      SHA256

      3b085de4a9fdda9626212e2f0214fe72b6689754c6b2ea6ffad81f04907de5ed

      SHA512

      28f2817eab5e9e22ba7f2a6be7ebedee8629ac87835198bd6c6da1f3ae0f5baeb5589082269c9120b8b2693deb3839cec523a0ac50a7058f2bb02f5f0ad03c87

      Download Submit

    • memory/2364-0-0x000000007455E000-0x000000007455F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-1-0x00000000009D0000-0x00000000009DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2364-7-0x0000000074550000-0x0000000074C3E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2364-24-0x0000000074550000-0x0000000074C3E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2612-23-0x0000000000180000-0x000000000018A000-memory.dmp

      Filesize

      40KB

      Download