Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 21:17

General

  • Target

    37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe

  • Size

    3.6MB

  • MD5

    37a140fe29eaec7bd519e87033aaa5c0

  • SHA1

    172be7464f4c1b5591f73a459cd643dccd4b7e00

  • SHA256

    e32dd1474a1f3f47c6d8ee19fba793c4cd900bc68350710d34ba6a3cac171788

  • SHA512

    af43c929359bbe3bd697a56122ce3d01b741b409a6250b1928b5e8633a5d8d845476711853897d5f0a4161f00cc155edc704ff7a6a4cdd3889680fe201cfd31b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpVbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\37a140fe29eaec7bd519e87033aaa5c0_NEIKI.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2748
    • C:\IntelprocNS\xoptisys.exe
      C:\IntelprocNS\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxV5\dobdevloc.exe

    Filesize

    3.6MB

    MD5

    403fa7c78bf10014baa8032225260cc3

    SHA1

    c94967746f1dfde181fd6ec2e70804413f656b7f

    SHA256

    ad8c686b796dbecc4cda51a64d5cc8c328db27bf5f11192220543502f63a6cba

    SHA512

    60e2e474c6d6b87dc8cfa8fe0d9aa86a001069292096de425c8e0026ee2f036761fbe08b54d243d346959eb869f30e141e20948856ab865a67a676b6040f3846

  • C:\GalaxV5\dobdevloc.exe

    Filesize

    3.6MB

    MD5

    a632a1ca5e29ba962c31cd144271e7ee

    SHA1

    35a0ee2ea7701cb13c4e15609b96c8813d8e4961

    SHA256

    dda4786f602f95c8decec84413605dc598238f3c477a9cffee3bb9a3d3ad3f93

    SHA512

    7339aef392c504ef13da42c86855510574dd7f0db7fea10ef1fc0923e9c6329a21f8b7b001d6e70622ccf730ad2d76d0afefcfdeb7acd9cea5fa40632071d271

  • C:\IntelprocNS\xoptisys.exe

    Filesize

    3.6MB

    MD5

    6f0842916d119f08117fc90b7cdab4fa

    SHA1

    254717f66991038ba7fd24ea718affecb35a8552

    SHA256

    1bdd733b20ed6146fefeb70d075ed73fa228d062ba9ef58d24b11fdce970887b

    SHA512

    f8ada8581dcee42490c0df6cb6195a50b423e32d6f3c5163cec26fdeb3e59350ee929ed7ae00902783fdba5db349b1780f5de05ab939eda6e91eaeaeac1bc53a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    177B

    MD5

    52355d8d21e3cab0b9ec270c7e132d39

    SHA1

    91e4c7c675d66d8c438a8aa8c54962a22eb692f2

    SHA256

    abf539acb0e8ee1721fab723871ec3ae9fbf765444bbe7763b9b990a6a6d8e8d

    SHA512

    951317be966d194074fd6f39fe963ab688f179a1645cb218a4b87f3d619a8dc861f02b993b66ba019d15cfe38a94e6687707d437d7dda81d69722138027d0d42

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    209B

    MD5

    b36728717e8a53b28575d8176649254e

    SHA1

    aa85d1f3fc4dd8c1d658a222a7a72c6fea6c51d4

    SHA256

    47e93d8ba5c9d8879ecab403dfbc6aa6a815152a6bd3d55f927e31bdd31ac42c

    SHA512

    b275fca933557c4b15fe3a5ec386fee35a3bf426c0a7fa629fd3a7783fb2da118535be4ab4d0e6cf71b5dea90d9c4d6bd9093e081b2d8d744ed5f953ba3c843e

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    3.6MB

    MD5

    cfbe93307746449e2c434044a93503a5

    SHA1

    70baa799038b6dfeb4ef2e68fed3e72b5b99c827

    SHA256

    b355f944f1ab8bbc10021d06568014abbf6fc663b6cab865d505757eaa19c4e7

    SHA512

    3ccb801a1776f37d2b9cb97a7f8b3cdf978487d42db9550338870bc43c6d9e24a0e55416b9d118b1e0d773f1e57afa6b59c04670ac94b3e3a7edb413f11df29b