Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

12e40db81d...cs.exe

windows7-x64

7

12e40db81d...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    12e40db81d4bb74b6d9370470ffb93e0

  • SHA1

    cbbde5a9f1485b5d1ffc8b97d6a9731c13fdcdca

  • SHA256

    fb50b6a71a516686d6e468384844a6cc2c1604a0490fb978541e8d5ed1c7442d

  • SHA512

    1fc5536772c2b847814493a99cd932e28f050aeddf40f427aa653c4263eedb7a0013aa643af42220ccc5d5629c77020dae9b2da5504efff99088399d8fb194df

  • SSDEEP

    384:BL7li/2zBq2DcEQvdQcJKLTp/NK9xa91:hhMCQ9c91

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1skemzoo\1skemzoo.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF907F7C948446BABDB74CC29989A3B.TMP"
        3⤵
          PID:2596
      • C:\Users\Admin\AppData\Local\Temp\tmp1D23.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1D23.tmp.exe" C:\Users\Admin\AppData\Local\Temp\12e40db81d4bb74b6d9370470ffb93e0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1skemzoo\1skemzoo.0.vb
      Filesize

      2KB

      MD5

      7aba28bcfbd4115087f50d817a45e3d3

      SHA1

      65bb047c65c471dd091ba499a673c6a9f603eef1

      SHA256

      f6c6f4e341c6e66b907f3dd6e39b97d04c521ce74e689f84de9f24e972ee822a

      SHA512

      e721baafcbf396300fd035e6279e7ba029487bba950fd931be9573d046fa8a59e1d484bdd0a7eea5be3994ae59776e79283871c6270b79cc92f9a8df13b4cf71

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1skemzoo\1skemzoo.cmdline
      Filesize

      273B

      MD5

      b3251640db3541642a56dc2aaedcaa9c

      SHA1

      3c9f503fb47454476ce997fc305e5b6417d54f65

      SHA256

      6650c12c608dddbbc07d94fc36e9e4da08ecf5ecb71d31751f9419f6b55ad31d

      SHA512

      2f5dc02df2702978b18f9f7733b3a8528ed2e2721fd25780ec6d89a339655afc48378af6857030cea416d0b51198da33d416dd77c1bca2e5bc3ec841327a5f5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      88a893120dfff08bcff53dad5f798206

      SHA1

      f75260a1fa7110efb4f2500d05ae62a24c7aba94

      SHA256

      8a086070f9814eaf349d0a3f5efaa97e124affee0ca5802c283b3011b66ae5e9

      SHA512

      9c46a2be679e0b988c8bf19ce0320d5a331a082d3ca353bbecf73c22b8d3455c1213f61a36dcfca463be9c455044a99577bba42e43a3b8d02dada56b555d2943

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES1E5A.tmp
      Filesize

      1KB

      MD5

      0e64d2337e710b77b939ffaf155054c1

      SHA1

      1a5cb65759401054f2062c0966bc9a171d900279

      SHA256

      8b6a09ce2f6d2c1392e53d902e85683bef58a2b7eb56dc86f06d83c597cad5ca

      SHA512

      df9f6258bb575566a178275a4d8a2e8d3f5c548200c013bc72101ccbbc97fc975ef4770aab96cc1eef702a08552d7b4b0e725ead1a86243d5a8e7cfe5c49d7a8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1D23.tmp.exe
      Filesize

      12KB

      MD5

      d18271677db36308566a8d6efa4d25a0

      SHA1

      d2af56f82a331c2925d32bf0ef8d8c7c64b14a7c

      SHA256

      e84d3cb80e65a3568e5ff79d4a439efb3f8e029163bd13b987125ccdbda05fae

      SHA512

      4abc1b52a3d86dda222c276ea137d37e14609a52c4fd40d62226b6e5b5bb56fec1ff5bef946268a304a3b19be765cdf4710746b2435c3222d0eb0f5fed4eaa6a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcF907F7C948446BABDB74CC29989A3B.TMP
      Filesize

      1KB

      MD5

      11897ea17919fa61ad62c95d51e931ad

      SHA1

      4e48977d2cde404b1d31965cc6047e91f986dbaf

      SHA256

      82d029935ff42dee21836962f16aeb004db90b5491882ba61655b95f8d2835a5

      SHA512

      92fc7d8b6f71debf7db6d1954c9d8af105531cde7f08e0c6fd09cb70c1ba3ac3829f8afb4d8324c927e707fe79485a0297c4b17b523872de7589c2feae140527

      Download Submit

    • memory/1984-0-0x000000007450E000-0x000000007450F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1984-1-0x00000000008C0000-0x00000000008CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1984-7-0x0000000074500000-0x0000000074BEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1984-24-0x0000000074500000-0x0000000074BEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2536-23-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

      Filesize

      40KB

      Download