Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

3ef59aa8de...cs.exe

windows7-x64

8

3ef59aa8de...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 06:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe

  • Size

    3.4MB

  • MD5

    9c26a81a4e07480102b8866c41ecb900

  • SHA1

    586a3de0d843ab7022cbda769fdd2237d3a635c9

  • SHA256

    3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281

  • SHA512

    4e51960aa6f193b22b9563682ff51bc1f6e917e9260ed846e578412f229c2b6a83a9b9392b9c0e978dedc33ec5ea9e5b422894659603e9a19ae7a56a0934e372

  • SSDEEP

    98304:WkkLESftZrW41TNqFrxLDKSMJ/Og4vf2OxmhOvGY6eXsx:hAESTTNq9uJ/Og4XPmoeYBXsx

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3ef59aa8de1804218108a1f343ad753f71219d32bc10370d27efaed89b744281_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\AIRFBA.tmp\Install LOLInfo.exe
      "C:\Users\Admin\AppData\Local\Temp\AIRFBA.tmp\Install LOLInfo.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      PID:1908

Network

  • flag-us
    DNS
    airdownload.adobe.com
    Install LOLInfo.exe
    Remote address:
    8.8.8.8:53
    Request
    airdownload.adobe.com
    IN A
    Response
    airdownload.adobe.com
    IN CNAME
    ssl-download.adobe.com.edgekey.net
    ssl-download.adobe.com.edgekey.net
    IN CNAME
    e4578.dscd.akamaiedge.net
    e4578.dscd.akamaiedge.net
    IN A
    2.21.188.171
  • flag-gb
    GET
    http://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer
    Install LOLInfo.exe
    Remote address:
    2.21.188.171:80
    Request
    GET /air/3/nai/windows6.1/x86/installer HTTP/1.1
    User-Agent: Adobe AIR Bootstrapper13.0.0.83
    Host: airdownload.adobe.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: AkamaiGHost
    Content-Length: 0
    Location: https://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer
    Date: Thu, 20 Jun 2024 06:26:27 GMT
    Connection: keep-alive
  • flag-gb
    GET
    http://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer.p7
    Install LOLInfo.exe
    Remote address:
    2.21.188.171:80
    Request
    GET /air/3/nai/windows6.1/x86/installer.p7 HTTP/1.1
    User-Agent: Adobe AIR Bootstrapper13.0.0.83
    Host: airdownload.adobe.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Server: AkamaiGHost
    Content-Length: 0
    Location: https://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer.p7
    Date: Thu, 20 Jun 2024 06:26:29 GMT
    Connection: keep-alive
  • flag-gb
    GET
    https://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer
    Install LOLInfo.exe
    Remote address:
    2.21.188.171:443
    Request
    GET /air/3/nai/windows6.1/x86/installer HTTP/1.1
    User-Agent: Adobe AIR Bootstrapper13.0.0.83
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: airdownload.adobe.com
    Response
    HTTP/1.1 200 OK
    Server: Apache
    Last-Modified: Mon, 24 Jun 2019 13:26:24 GMT
    ETag: "b02458-58c11c23e8eab"
    Accept-Ranges: bytes
    Content-Length: 11543640
    Date: Thu, 20 Jun 2024 06:26:27 GMT
    Connection: keep-alive
  • flag-gb
    GET
    https://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer.p7
    Install LOLInfo.exe
    Remote address:
    2.21.188.171:443
    Request
    GET /air/3/nai/windows6.1/x86/installer.p7 HTTP/1.1
    User-Agent: Adobe AIR Bootstrapper13.0.0.83
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: airdownload.adobe.com
    Response
    HTTP/1.1 200 OK
    Server: Apache
    Last-Modified: Mon, 24 Jun 2019 13:26:24 GMT
    ETag: "f14-58c11c2413c9b"
    Accept-Ranges: bytes
    Content-Length: 3860
    Date: Thu, 20 Jun 2024 06:26:29 GMT
    Connection: keep-alive
  • 2.21.188.171:80
    http://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer.p7
    http
    Install LOLInfo.exe
    621 B
     597 B
     7
    4

    HTTP Request

    GET http://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer

    HTTP Response

    301

    HTTP Request

    GET http://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer.p7

    HTTP Response

    301
  • 2.21.188.171:443
    https://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer.p7
    tls, http
    Install LOLInfo.exe
    597.3kB
     13.9MB
     8532
    9950

    HTTP Request

    GET https://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer

    HTTP Response

    200

    HTTP Request

    GET https://airdownload.adobe.com/air/3/nai/windows6.1/x86/installer.p7

    HTTP Response

    200
  • 8.8.8.8:53
    airdownload.adobe.com
    dns
    Install LOLInfo.exe
    67 B
     167 B
     1
    1

    DNS Request

    airdownload.adobe.com

    DNS Response

    2.21.188.171

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AIRFBA.tmp\.launch
    Filesize

    19B

    MD5

    a59504597a32f93007beef70faadca35

    SHA1

    d5d708fdae84d4fc18ca48c4cdbf999a87dc7efd

    SHA256

    8aa4d5331fd928a41f15280f6d7bc2e8e6d8b7be913a83063e001224b7c80d03

    SHA512

    f97f691ef124636a62a133328036103ab9d2fa6c08f6203211cf61f8b74faf474d35de54c20e326276746f231a9f0e193d96530361e89957c95f9731c6bf1b4f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AIRFBA.tmp\Install LOLInfo.exe
    Filesize

    129KB

    MD5

    f20ad78598c39c35ae6e7595444cdc76

    SHA1

    1c586ca02dc7eb0924c6538e7a1c0e17cac9e7be

    SHA256

    adc2cb614008caf3250cda012370b099341f1ddf482aeb3b45a8736f27de13c7

    SHA512

    ca7b6f89c6acde6c3c2143d4ad3c9b9a4ccd4de677c410bbdf5ca1341cc40af19ff5aef73170a4501302ab0b04883c020cf3a31c1db83eae8c027ab0a7193963

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.