Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1579d407e4...cs.exe

windows7-x64

7

1579d407e4...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    1579d407e4425f29953dd7945b202270

  • SHA1

    9a41373b1fdf82f244a0070dc6539c813c0e9538

  • SHA256

    8bbe21587d694f62806be0183ebbde1c2ae14a3fcca453a1300fad1ce1b63c07

  • SHA512

    72774a82bace005facd60b98b81ff1c29091fa49e6d69595f30f316587f607c1b6070eba0a044a4f6e092223148bf85f8045c9efc972ee3a2fb74a96fdb936fd

  • SSDEEP

    384:LL7li/2zVq2DcEQvdhcJKLTp/NK9xa8G:fFM/Q9c8G

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\inptemvm\inptemvm.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC769B3A4E88A46438A356A3FC8BFF842.TMP"
        3⤵
          PID:3024
      • C:\Users\Admin\AppData\Local\Temp\tmp1DBF.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1DBF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1579d407e4425f29953dd7945b202270_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      af14ac196bf09a8beac017d6fe7cd98b

      SHA1

      5d21ae1dff2bfcab0da531f19f446cf6033fdc1d

      SHA256

      edc00b45bc7b44f4d30ac2d3636659891dd97a1aeb2a0645f22b3586e47ba016

      SHA512

      5bf39809c83dea990dc1c27301d8669edb36b903eddaf6e4c44ac7511ab0542d697b1839fcda21b6433a3e7a8341e3ab69d60ac8948b297e1b2fca080663f9e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES1F15.tmp
      Filesize

      1KB

      MD5

      d58a0f00f3abec5adf6c28aa94f65b6b

      SHA1

      0568312d6790dacd4a9dcf64e7a2f829437fa604

      SHA256

      e590c1120f0b9bf29d539d566e454193fd38a792cced2c65c3c6a8c7a37ba3f4

      SHA512

      427ea488e592dd087bb408dbc558e198c2d01d3a30483d4b02f184af49b9164034fee1bd174b43ea98216969065e59bab45e3c1f3032387f191c36539aa7fd53

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\inptemvm\inptemvm.0.vb
      Filesize

      2KB

      MD5

      c1b1e8e992715ed045deb814b8a48fea

      SHA1

      6e46a5361ba0f0d74f85b6e2afa808b5fdc3ed83

      SHA256

      d06447c41a5e3b9279ee434362e8cc7fdfcf695d12eb464430ae838642404598

      SHA512

      57a5ce348d81b0d838e27298dc23a5ca43f9e81c238676c71bc8215549b6af9e2ab23aa109e3b6027f7a3adf6cfc3aa23ee4e58fa8f82e29c56209a831f351a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\inptemvm\inptemvm.cmdline
      Filesize

      273B

      MD5

      d3491a05338bec92e384f1a897f610e2

      SHA1

      7b97c4ca5387acef30af7ee44526f0615b09b838

      SHA256

      5b1de9e47d1b6aa2efd9fa3ac24603263e0966e7e45aef8a2ba4c5d16579ee83

      SHA512

      cf9951823b14de0b46e6e8eae3be1767038ae8d44d8018e563d43161b7a6686389f62d9bbd2426619caac306f37d0923205027d297f813d9f6e24bb4a25cb4b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1DBF.tmp.exe
      Filesize

      12KB

      MD5

      0a9b4c2ca31e07ecb3d48e1afe681409

      SHA1

      7f7d0a1c64f6ea6763ec909d54a89847a6ff9607

      SHA256

      9066af338049348ef6acc45d08a1a995e5dde15125626b17c7dac6a06249c062

      SHA512

      10c8748e148ff09bc0718e773ac4a12bf189c7dc827a0a2435e81237d4e0ad790ff0a8cac08b16cb8cfa8a1ded3370f4e72a17f6f596ef750d27139cb44b57cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcC769B3A4E88A46438A356A3FC8BFF842.TMP
      Filesize

      1KB

      MD5

      1d4fbe0370fd9591072360c568c2e511

      SHA1

      e6b842aa84c9b340da2ec31a1663d7c83752c6f9

      SHA256

      e11bc4710815855aca0535bcc1ef142f2cd9455963194b8cc5e7afb73a486455

      SHA512

      fbdcb2accc475d5ef7ca10ee6291085c7398c95ef4e530f8d9b959cdf58cc79ba193ab1315a6699f5afe3cc41d31706185eb6f1692cadb1b381b09be8a5d08a9

      Download Submit

    • memory/1752-0-0x000000007406E000-0x000000007406F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1752-1-0x0000000001080000-0x000000000108A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1752-7-0x0000000074060000-0x000000007474E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1752-24-0x0000000074060000-0x000000007474E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2644-23-0x0000000001310000-0x000000000131A000-memory.dmp

      Filesize

      40KB

      Download