Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

152e047a90...cs.exe

windows7-x64

7

152e047a90...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 07:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    152e047a90b072967e1ed9d0f8fa2640

  • SHA1

    e43716c46e584735510d8f1fc2368e437802305e

  • SHA256

    28eb3beb520000445ad2d399c6a67e1ca2eab0a360a7aeeb39eca6aaff3a19d0

  • SHA512

    e453e420e9726333fa52aa9dc4783d25907019179eb382d7ebec2a945bd481d017b3e8574a8f632cfd8d3795936c2d578cfc61201757db3d3db244a54e596a80

  • SSDEEP

    384:1L7li/2zUq2DcEQvdhcJKLTp/NK9xaME:VIM/Q9cME

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g0uoxft4\g0uoxft4.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc638188E0854E449ABA799EC860A9562.TMP"
        3⤵
          PID:2576
      • C:\Users\Admin\AppData\Local\Temp\tmp896C.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp896C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\152e047a90b072967e1ed9d0f8fa2640_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      e63e238eeddb3961fb78b4e95c1b5645

      SHA1

      bdbf5f4b87cb9e36370996be6785f0ff46a8ccb6

      SHA256

      a647cec5d60c4fddb413cf5071d09e4bdf444363a8feb769abe20f00a9301efe

      SHA512

      02cbba335c8e6c66a29c21679c38e6601c1cd93e3da224166d68c356348ab78b1f28b839a37514b0874a9efbef65159a3b1333e03fa4dfd1cf10d3262ad6cfff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES8CB5.tmp
      Filesize

      1KB

      MD5

      a81d429d0a4fbe04c8d91a79e43247e3

      SHA1

      61c0783b5b5b03954f8e39743dd7c3f1f1e0ffdc

      SHA256

      1d62a68502bf60bd93d724c630a8d12df35db9e4a02bbbaca29880a3c6053f38

      SHA512

      f9d191a9202a34ac14c1cca34d140f413ee96b24b2d39e92fb21875f3675a42fe9967cfe8f3d89f6e95ea21f41b939166aaad61a18b3fd412195b85e8e89be70

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\g0uoxft4\g0uoxft4.0.vb
      Filesize

      2KB

      MD5

      4382cd50ac59a470cb40ee5555592c1c

      SHA1

      aa8f9cdd673936e67602c8067bdcfc025e9a90de

      SHA256

      3b9eab729c36e6e54ed14e3c4e353e3c8c1523fe282c6d5ab15b8dd921c982af

      SHA512

      e34dcc37d6f40c53d5043ffc4b7bc35a917da6c6b171b38eb8266509eadd357f48d2445b8b3280725c727f56839664da5288de10f9d27b6d3d05f2fdb65e8b60

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\g0uoxft4\g0uoxft4.cmdline
      Filesize

      273B

      MD5

      17d0ed8e6608516e01c5224e181a7151

      SHA1

      d5cbce177e1f52a7fc5cae4a249db9cdcba9b722

      SHA256

      c3903767b4ee788048d4bc6b93076299dd90ecc5a2dea369c492643689fb016a

      SHA512

      f393690aa58b9c3a63c8629349a2430bc419a444928a630748e672cac66385d1d0356e90e87a2e2370ae4c06de93284666c35a770cdf196373f5b43b265e44d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc638188E0854E449ABA799EC860A9562.TMP
      Filesize

      1KB

      MD5

      503f68375927481ab42f2a2d9545afb3

      SHA1

      51a28400712c666df2479a3ed606a324ccca65fd

      SHA256

      ddba2e7297a0e053b0e492578ad9386c1ba218cdc0f0707b1caf52d287a6ce07

      SHA512

      331cf8a170491c0ff0214a3be560e85549cf2bfd224bd39e384504d3ae987e3754e6d75d07c02778a6a5a02227c6174a4be2b2afa09959c7eb4f08abcf650e58

      Download Submit

    • \Users\Admin\AppData\Local\Temp\tmp896C.tmp.exe
      Filesize

      12KB

      MD5

      397746ce3e7dcbd08a180f52daf6bc12

      SHA1

      d45f6e36dc164e6a8ec39e54343e9968fed8bf6c

      SHA256

      770e063ee893d7c520bd7695475f668aadfe511091855abd4f0f7347ab8998ad

      SHA512

      51705cba0ec73c2b8a87ba1c0809c96655466edfc3184f8de5ac5af899f6466ff5fe219cdbb8cadd5c68797eebd92b51660149fa133e2c298d36562590bd0fbf

      Download Submit

    • memory/1720-0-0x00000000741FE000-0x00000000741FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1720-1-0x00000000001C0000-0x00000000001CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1720-7-0x00000000741F0000-0x00000000748DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1720-24-0x00000000741F0000-0x00000000748DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2516-23-0x0000000000D10000-0x0000000000D1A000-memory.dmp

      Filesize

      40KB

      Download