Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a495330e15...cs.exe

windows7-x64

7

a495330e15...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    a495330e156d736c6684d5dc97166880

  • SHA1

    f28df3c1532e6e473317336d1f382409646e14b7

  • SHA256

    7e09f3a3afb083991a5a3c5cbc9a85d8f2a6f08ff555c55d391c16194a4a3948

  • SHA512

    73b38467eef0063111e4ad608f9f939988675c364afeca0176ec492d69f658077d5da421e8eb4aaf93e1503e064fc103723c2c520d2956300ca366ae0e4aab2b

  • SSDEEP

    384:BL7li/2zDq2DcEQvdhcJKLTp/NK9xabo:h/M/Q9cbo

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2yux0wzl\2yux0wzl.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES338E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE98A43B9B33479BAD7E69395F21B198.TMP"
        3⤵
          PID:2584
      • C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2yux0wzl\2yux0wzl.0.vb
      Filesize

      2KB

      MD5

      feab9c65be48d72d964c8b55ae1178f7

      SHA1

      1ab705d6fbc0022d13ee195e87ffa0baa9262d3e

      SHA256

      de36ec4e8acf252d4819a89c59b074d608081dbfa80506c964706520025622c0

      SHA512

      64a1a1fccd1273b9aa946d385211310b0adcecf0cc0b607d183324e9cb784e43c366045b5cb223a5fc3599869bb63457c1b13f01e4bb11c19b420150bfe71893

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2yux0wzl\2yux0wzl.cmdline
      Filesize

      273B

      MD5

      4bdbd3136b2879d3901ff33116f4f543

      SHA1

      c3255a3c9427a643abeb911b3e843b438452d9cf

      SHA256

      db3852fb06455670311835973d8170d18b5cc06f6ff7cd9102606c3d1b8285f8

      SHA512

      e106fddae4dfc56ef33b314812a95f26f3146c02042c6fceb039df755b1ae4ff7dd4f630fd8554ea0d57029661c392fc7c20418c63e41919799dbf986fb18e44

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      76b3832fde0525cf4d96ce867b27f006

      SHA1

      cd57f2c68abf969c01e5b91b6af8725b5ffa70e1

      SHA256

      483019579c634e6621cd0bceea27d5955a32c5b8246d8889dfa1c9d29f1804d6

      SHA512

      297d8f152baf75b454de5f59093f50205d5d91e619ca759ea1a016e131ac99bee1418208126a4be769d04134252f850e81663cd880b804a5962b60e1493a73f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES338E.tmp
      Filesize

      1KB

      MD5

      ca9df0fc68afc609422223842e15320f

      SHA1

      1f60b0c2934deed4d52a52640b2236d2c0613a5a

      SHA256

      20d26d1fa74f0226cf6ef42ca2494761aa5ca553b18fa4955e31603fe5019195

      SHA512

      b8ff215cc71f86968a7d61ce323e90c95f3c16b942fd94b40f182c79ac902f38286bcdedacec243cc33d6bd98e920658bfabaa39218ff52d5ae528f5331cc249

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe
      Filesize

      12KB

      MD5

      213b4c648c79b2aeaa5faaa676936efb

      SHA1

      d5e9abfc0324802ca87dc64d116502b6f724ee4a

      SHA256

      122b2f0b626067d63155d94b1f49ab93462ee4e584ddcc1e2893f1b0ec93ef70

      SHA512

      84d33bab35cf6ae4ed0077722d5afa9e109f5c9dbadcce61583be4dcd01c848fb65cb2d1be2b68b4173034477efa4178966af775173686e7a0f05c4bffa07a5c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcDE98A43B9B33479BAD7E69395F21B198.TMP
      Filesize

      1KB

      MD5

      1aeaa13d14e7add5f97a7e287374fd84

      SHA1

      cae8bfcab890aad255d68640e62650fb31c2571e

      SHA256

      22ae0d7239857811edd7d112fac636f3d1dcb04c291994f1eafeadb114e30538

      SHA512

      2038dd521c0018b395c7796c7a2a5c3217cbdd5e9c8b0692dbb2014fa6fa690331eabd272a5f4f4aed3991336198b09325e34015c558c0433c4853e49a09173d

      Download Submit

    • memory/1928-0-0x000000007439E000-0x000000007439F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1928-1-0x0000000000A60000-0x0000000000A6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1928-7-0x0000000074390000-0x0000000074A7E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1928-23-0x0000000074390000-0x0000000074A7E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2516-24-0x0000000000300000-0x000000000030A000-memory.dmp

      Filesize

      40KB

      Download