Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 00:07
Static task
static1
Behavioral task
behavioral1
Sample
4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
4edb786a77b0bab6829d8a6b570d60f0
-
SHA1
11f5d60f4acc562fcf145d9886cdcbd8539885a2
-
SHA256
384787235065f529d81f53826c0f9d34ebd52c1643250e64d1911faea633cc3b
-
SHA512
45230eee011f32f75ff775c83d92a219ac9576567e3254fc479385ec121dbd0caca1f04648dd7c5ff5def568971f97c38cfc328fd5074f98f9bd91ae3cdc3805
-
SSDEEP
384:GL7li/2zNq2DcEQvdQcJKLTp/NK9xaPA:g9MCQ9cPA
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2784 tmp1102.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2784 tmp1102.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1896 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 1896 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 1896 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 1896 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 28 PID 1896 wrote to memory of 2668 1896 vbc.exe 30 PID 1896 wrote to memory of 2668 1896 vbc.exe 30 PID 1896 wrote to memory of 2668 1896 vbc.exe 30 PID 1896 wrote to memory of 2668 1896 vbc.exe 30 PID 2228 wrote to memory of 2784 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 31 PID 2228 wrote to memory of 2784 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 31 PID 2228 wrote to memory of 2784 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 31 PID 2228 wrote to memory of 2784 2228 4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvr3fowh\uvr3fowh.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1278.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AF9B8766B5C4ACC8C287E22E0A82294.TMP"3⤵PID:2668
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5372bf1447da0a1695a0315bcfa6a96f6
SHA1dbce1cbd79a989443de60cb6c49d0aab14e75d47
SHA256edbd6b114ed314175e03194d1de3550ceb1f2084405c379734e1f06e0448f509
SHA51263adec3041e2e7af2e603c5a724c7318baa2d0f0dd20230fe8034afd52b5ee1a124f04d5228e8c9a4159953e04e408c6de619b5d85f3cc1e6b87c0f1eaa303a0
-
Filesize
1KB
MD56cb5dc75bfb32c8db1d195c3d4b9dc8b
SHA18ea7ee15948908affd9156fa319570ec01af8d56
SHA256c002fc7c15f58ddab315434896d82312bacf5d03d6b238948b1e9c17e44cf920
SHA51275874071874269b22f884b96aec30a90ee424059961c2b1bb8aee30cf7c4b78244905352407b2d3e251c483160a060a8474a8d982a5f20ddf952ee622af22376
-
Filesize
12KB
MD51b6ff73f889c512807378e874cc63276
SHA1806b3459094d6b7d08b20d53d92a5e6860b40d4d
SHA256fddc695f673250cf538c4eb5b40f800bb3cff194bfcba4ca5301b8b75af3b2ae
SHA512255c1acb7554ce9cf6c23dfccb99db4589b26b11d9bbdc5d8ab9ce66f72819e85aa4761e830eee2ace6114e6287d17ea958d5f265c0a7cbd66319fa61e767b2b
-
Filesize
2KB
MD5e7b673f71a037554dbdeb1f98f70f99d
SHA1cf8077e6131c12bddf98c0254670e1dabf5aaf18
SHA25604b457f166a44a4c8e3d6333c1fdfca398bdf89c89f8f8a66cbe4f00a7c24807
SHA51205d6fb6e22f4b0a1253637eebf9ac4733c7eb39f97754a3d283e686f87cd5404b78c6f3db55486e5d523ffea6923e9e8992b7189a79670d51ac4bda7d542af79
-
Filesize
273B
MD5f0a62da71daa0c6cd56b4c5ea2330742
SHA1834c683da243eeea8f93c852f61c30dd5c3c77ae
SHA2562d48caef58cfe4f9acdac88edce8b1a51162492c2976b1013fdb0ab5775958d4
SHA512a59977e9e35939018044d08ec8ef37e82b9cef42daad3560fe336c0ea6dc7ad43a6fe9a1eaaddfc5584fd4b5721a687a5bae802dc7846172d215007ab2b3ae05
-
Filesize
1KB
MD5a70e998f6e0531823637f72a6baf1c6f
SHA18f27c0d36911d11163468c904fa3477852873b72
SHA256d928a551101095029b258cb566227b1100108a2414eb110a93c5ba03de2bbb79
SHA5122adfb69041eb01c1a86370351453826f954118bdec6a30fee79a07e0e4fbbdd544b7d4b016a4b85f1cd10a02d3edbf17c986c62338540b53a11055ecafebf665