Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4edb786a77...cs.exe

windows7-x64

7

4edb786a77...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    4edb786a77b0bab6829d8a6b570d60f0

  • SHA1

    11f5d60f4acc562fcf145d9886cdcbd8539885a2

  • SHA256

    384787235065f529d81f53826c0f9d34ebd52c1643250e64d1911faea633cc3b

  • SHA512

    45230eee011f32f75ff775c83d92a219ac9576567e3254fc479385ec121dbd0caca1f04648dd7c5ff5def568971f97c38cfc328fd5074f98f9bd91ae3cdc3805

  • SSDEEP

    384:GL7li/2zNq2DcEQvdQcJKLTp/NK9xaPA:g9MCQ9cPA

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvr3fowh\uvr3fowh.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1278.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AF9B8766B5C4ACC8C287E22E0A82294.TMP"
        3⤵
          PID:2668
      • C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4edb786a77b0bab6829d8a6b570d60f0_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      372bf1447da0a1695a0315bcfa6a96f6

      SHA1

      dbce1cbd79a989443de60cb6c49d0aab14e75d47

      SHA256

      edbd6b114ed314175e03194d1de3550ceb1f2084405c379734e1f06e0448f509

      SHA512

      63adec3041e2e7af2e603c5a724c7318baa2d0f0dd20230fe8034afd52b5ee1a124f04d5228e8c9a4159953e04e408c6de619b5d85f3cc1e6b87c0f1eaa303a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES1278.tmp
      Filesize

      1KB

      MD5

      6cb5dc75bfb32c8db1d195c3d4b9dc8b

      SHA1

      8ea7ee15948908affd9156fa319570ec01af8d56

      SHA256

      c002fc7c15f58ddab315434896d82312bacf5d03d6b238948b1e9c17e44cf920

      SHA512

      75874071874269b22f884b96aec30a90ee424059961c2b1bb8aee30cf7c4b78244905352407b2d3e251c483160a060a8474a8d982a5f20ddf952ee622af22376

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe
      Filesize

      12KB

      MD5

      1b6ff73f889c512807378e874cc63276

      SHA1

      806b3459094d6b7d08b20d53d92a5e6860b40d4d

      SHA256

      fddc695f673250cf538c4eb5b40f800bb3cff194bfcba4ca5301b8b75af3b2ae

      SHA512

      255c1acb7554ce9cf6c23dfccb99db4589b26b11d9bbdc5d8ab9ce66f72819e85aa4761e830eee2ace6114e6287d17ea958d5f265c0a7cbd66319fa61e767b2b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\uvr3fowh\uvr3fowh.0.vb
      Filesize

      2KB

      MD5

      e7b673f71a037554dbdeb1f98f70f99d

      SHA1

      cf8077e6131c12bddf98c0254670e1dabf5aaf18

      SHA256

      04b457f166a44a4c8e3d6333c1fdfca398bdf89c89f8f8a66cbe4f00a7c24807

      SHA512

      05d6fb6e22f4b0a1253637eebf9ac4733c7eb39f97754a3d283e686f87cd5404b78c6f3db55486e5d523ffea6923e9e8992b7189a79670d51ac4bda7d542af79

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\uvr3fowh\uvr3fowh.cmdline
      Filesize

      273B

      MD5

      f0a62da71daa0c6cd56b4c5ea2330742

      SHA1

      834c683da243eeea8f93c852f61c30dd5c3c77ae

      SHA256

      2d48caef58cfe4f9acdac88edce8b1a51162492c2976b1013fdb0ab5775958d4

      SHA512

      a59977e9e35939018044d08ec8ef37e82b9cef42daad3560fe336c0ea6dc7ad43a6fe9a1eaaddfc5584fd4b5721a687a5bae802dc7846172d215007ab2b3ae05

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc8AF9B8766B5C4ACC8C287E22E0A82294.TMP
      Filesize

      1KB

      MD5

      a70e998f6e0531823637f72a6baf1c6f

      SHA1

      8f27c0d36911d11163468c904fa3477852873b72

      SHA256

      d928a551101095029b258cb566227b1100108a2414eb110a93c5ba03de2bbb79

      SHA512

      2adfb69041eb01c1a86370351453826f954118bdec6a30fee79a07e0e4fbbdd544b7d4b016a4b85f1cd10a02d3edbf17c986c62338540b53a11055ecafebf665

      Download Submit

    • memory/2228-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-1-0x00000000002E0000-0x00000000002EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2228-7-0x00000000748E0000-0x0000000074FCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2228-24-0x00000000748E0000-0x0000000074FCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2784-23-0x0000000001040000-0x000000000104A000-memory.dmp

      Filesize

      40KB

      Download