Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/06/2024, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
-
Size
12KB
-
MD5
a495330e156d736c6684d5dc97166880
-
SHA1
f28df3c1532e6e473317336d1f382409646e14b7
-
SHA256
7e09f3a3afb083991a5a3c5cbc9a85d8f2a6f08ff555c55d391c16194a4a3948
-
SHA512
73b38467eef0063111e4ad608f9f939988675c364afeca0176ec492d69f658077d5da421e8eb4aaf93e1503e064fc103723c2c520d2956300ca366ae0e4aab2b
-
SSDEEP
384:BL7li/2zDq2DcEQvdhcJKLTp/NK9xabo:h/M/Q9cbo
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2516 tmp31FA.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2516 tmp31FA.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2784 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe 28 PID 1928 wrote to memory of 2784 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe 28 PID 1928 wrote to memory of 2784 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe 28 PID 1928 wrote to memory of 2784 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe 28 PID 2784 wrote to memory of 2584 2784 vbc.exe 30 PID 2784 wrote to memory of 2584 2784 vbc.exe 30 PID 2784 wrote to memory of 2584 2784 vbc.exe 30 PID 2784 wrote to memory of 2584 2784 vbc.exe 30 PID 1928 wrote to memory of 2516 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe 31 PID 1928 wrote to memory of 2516 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe 31 PID 1928 wrote to memory of 2516 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe 31 PID 1928 wrote to memory of 2516 1928 a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2yux0wzl\2yux0wzl.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES338E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE98A43B9B33479BAD7E69395F21B198.TMP"3⤵PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5feab9c65be48d72d964c8b55ae1178f7
SHA11ab705d6fbc0022d13ee195e87ffa0baa9262d3e
SHA256de36ec4e8acf252d4819a89c59b074d608081dbfa80506c964706520025622c0
SHA51264a1a1fccd1273b9aa946d385211310b0adcecf0cc0b607d183324e9cb784e43c366045b5cb223a5fc3599869bb63457c1b13f01e4bb11c19b420150bfe71893
-
Filesize
273B
MD54bdbd3136b2879d3901ff33116f4f543
SHA1c3255a3c9427a643abeb911b3e843b438452d9cf
SHA256db3852fb06455670311835973d8170d18b5cc06f6ff7cd9102606c3d1b8285f8
SHA512e106fddae4dfc56ef33b314812a95f26f3146c02042c6fceb039df755b1ae4ff7dd4f630fd8554ea0d57029661c392fc7c20418c63e41919799dbf986fb18e44
-
Filesize
2KB
MD576b3832fde0525cf4d96ce867b27f006
SHA1cd57f2c68abf969c01e5b91b6af8725b5ffa70e1
SHA256483019579c634e6621cd0bceea27d5955a32c5b8246d8889dfa1c9d29f1804d6
SHA512297d8f152baf75b454de5f59093f50205d5d91e619ca759ea1a016e131ac99bee1418208126a4be769d04134252f850e81663cd880b804a5962b60e1493a73f1
-
Filesize
1KB
MD5ca9df0fc68afc609422223842e15320f
SHA11f60b0c2934deed4d52a52640b2236d2c0613a5a
SHA25620d26d1fa74f0226cf6ef42ca2494761aa5ca553b18fa4955e31603fe5019195
SHA512b8ff215cc71f86968a7d61ce323e90c95f3c16b942fd94b40f182c79ac902f38286bcdedacec243cc33d6bd98e920658bfabaa39218ff52d5ae528f5331cc249
-
Filesize
12KB
MD5213b4c648c79b2aeaa5faaa676936efb
SHA1d5e9abfc0324802ca87dc64d116502b6f724ee4a
SHA256122b2f0b626067d63155d94b1f49ab93462ee4e584ddcc1e2893f1b0ec93ef70
SHA51284d33bab35cf6ae4ed0077722d5afa9e109f5c9dbadcce61583be4dcd01c848fb65cb2d1be2b68b4173034477efa4178966af775173686e7a0f05c4bffa07a5c
-
Filesize
1KB
MD51aeaa13d14e7add5f97a7e287374fd84
SHA1cae8bfcab890aad255d68640e62650fb31c2571e
SHA25622ae0d7239857811edd7d112fac636f3d1dcb04c291994f1eafeadb114e30538
SHA5122038dd521c0018b395c7796c7a2a5c3217cbdd5e9c8b0692dbb2014fa6fa690331eabd272a5f4f4aed3991336198b09325e34015c558c0433c4853e49a09173d