Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

67a7e6ad2f...KI.exe

windows7-x64

7

67a7e6ad2f...KI.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 23:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe

  • Size

    3.0MB

  • MD5

    67a7e6ad2fc9257dc69883fcc0db82a0

  • SHA1

    b0814478ce7a05d003b6c062fa41c0654cb35d8b

  • SHA256

    6ed13cd098496ed202cdbb34f3aef62247b88847ef43d444ec0336c4be03a98b

  • SHA512

    f50a3bb574000c30cce4f813eea335bbd647cb79402898ddcc3cc2dc81e172a29c5784cd7380d4525b1dc605f548211628e9988c4239917e4d6120be2ebde09e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUpibVz8

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\67a7e6ad2fc9257dc69883fcc0db82a0_NEIKI.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2784
    • C:\Files7L\xoptiec.exe
      C:\Files7L\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files7L\xoptiec.exe
    Filesize

    2.3MB

    MD5

    7ecc236190c5bb025e7666ac26dde42d

    SHA1

    b66513fdb57b0233e3417525d80d6e04ab7d7dfc

    SHA256

    c52fd047942400cfe24debb29e86e05c9cb80efbfc82c24cfcef4a3349936ceb

    SHA512

    f70263256601be52cf29ac252bed6e85412671279a6092e60f67ec3877996c9094058ea0399f2dbadba64e9e51efe4970684600bd85f31614f9ca39d9962a71a

    Download Submit

  • C:\Files7L\xoptiec.exe
    Filesize

    2.3MB

    MD5

    54e3c198720b4ee7f2d8d5e9c318c698

    SHA1

    b74599bb5fcbd4c3f197ae50eb7073a0170c98f1

    SHA256

    b64f8c11bd4179a9122da78c2766104cc28651c90ec767c25fc25a5f31ad6f3c

    SHA512

    8645ee968e18283f0e36182c8974c18981ef29e0e030b052cde920e5cef82c06cb2fbad8916c2605cec83cc4537af27a8da8aea549d07a15c8f553d58415852f

    Download Submit

  • C:\KaVBK7\optixloc.exe
    Filesize

    2.3MB

    MD5

    e825d5e5b35062360b2c32d1117a1a50

    SHA1

    be79d0aa92c0812b30ac5a1b672c6e5e9d81657f

    SHA256

    c9592fee481ebb4dac2f7c15763ab6880d73b364d59e446f68d96a2f83fbbf0e

    SHA512

    3284a84667121b4211c13ab56327d8aba1124dbb4bbcf099a5f2ce25fc15146fd189b19f71841b9513c50157942042bd21a55e326d2ab99f21d3bfc48640da59

    Download Submit

  • C:\KaVBK7\optixloc.exe
    Filesize

    1.9MB

    MD5

    c29ca554b2d51bc91a74bba218cadf6b

    SHA1

    e54997d90f515d594c3ace31712ab3912d6f886a

    SHA256

    09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

    SHA512

    02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    170B

    MD5

    2e78fef0b06d7f55e1326a0f0f631be4

    SHA1

    d5922fa63b2f5482b75380699bd81a34d0a22978

    SHA256

    cefa38b64489eb2ba28489ee1a5afe81709ca9a1c9fc786b26456a2ad4d78d65

    SHA512

    45a465bc05a9fccbfdf8dc411edf44349e09b7a52d383af8bd6216b291629cbf47e67535cda5530b37bf1f9c7943bc102079f7c1863cbffd6e6c1909bcf4ceaf

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    202B

    MD5

    04c5f7c995fa0646ab5de9f9f760acb2

    SHA1

    14a2c8b4c5da876b9952593be8d3ed46c38a7c4c

    SHA256

    e316caecc4faacf02870f84bdf4267065b431612817a156257171f7803e240f0

    SHA512

    982868714fb7a461ee690f7bb581c4929a14a5297bc2263a7dd0e32be9ef78ebb64d9c6d034875b65e7ecc1e5696c2091689a1c614a5019ea7875fdd6db08d03

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
    Filesize

    2.3MB

    MD5

    4b08d4d8cbaade9b2914daa5937ae6c9

    SHA1

    3e39df620b50a1d6d43ae635ab4ebe99f130e9f4

    SHA256

    39e370d951291b0249490565c9e6b0a70828be4ae33776e7c68c83578232a54c

    SHA512

    f7dde65042e729fc5d66702660071d07d6ab0c8a765fce2207570fafbf078a57e5f04d294ed2d43657f1eab77b9ade662f33b7377b7f578559b9307657844596

    Download Submit