Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 20:32

General

  • Target

    2712e52f3b219a414929957a9bada2c0_NEIKI.exe

  • Size

    2.6MB

  • MD5

    2712e52f3b219a414929957a9bada2c0

  • SHA1

    0ae9db08eb59a601f4022cdad77c8c5acacc97d9

  • SHA256

    feb69ea1396f9fd1cf66a2f6ba2e0ee6c9ed6e96b140676157c767000e577ee4

  • SHA512

    a13c1c734ea9cf430af26c1d45ed894864c40306200c96efe531eab412243cd92b8ac0ed677ce1d5ea51cd7c7e941589dbf6322e7d65606652caa3b8d5741a62

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB51B/bS:sxX7QnxrloE5dpUpA7b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2712e52f3b219a414929957a9bada2c0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\2712e52f3b219a414929957a9bada2c0_NEIKI.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2348
    • C:\IntelprocAZ\adobloc.exe
      C:\IntelprocAZ\adobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocAZ\adobloc.exe

    Filesize

    18KB

    MD5

    f3611b180f53e7b766446f16c0eb47e8

    SHA1

    b0a5575b4fca6d2ca1ebf68f998124b33189a5e8

    SHA256

    da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f

    SHA512

    80c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1

  • C:\IntelprocAZ\adobloc.exe

    Filesize

    2.6MB

    MD5

    3fd82f12613ff5390b84c398b1e8fab8

    SHA1

    47faa07ec447fb3828bee7e14bdd92938f931b2e

    SHA256

    dd1bf4569f0d04192343dde492c704bc49dc79486ec676adc070b4c5b633266d

    SHA512

    e329e5634d8798c06240ea10c50dbef048d9794b2229047a71084ed778305d9098222dfc161cb3461188afb871190aba82fff2d0483059e7180e2f09eee5bf22

  • C:\LabZW0\optixsys.exe

    Filesize

    430KB

    MD5

    5a27945c917543e0f7db5cf510aec55e

    SHA1

    1d962a981eb2975ae5abd88c847a9834ca0d8b9e

    SHA256

    be49e0d9f34735e54641e9a1832717f779b983883d978d11b11e8bed62561e5a

    SHA512

    8807d2c9784ab937f32d9b1a39445fd0ef9e762cdca5a3055e108f5fc85ba31181ee875373d3d04f9655550ebce024f23264bd6c309142e2f6e5126c5a33ed57

  • C:\LabZW0\optixsys.exe

    Filesize

    2.6MB

    MD5

    1f43f96f3cb5c1c2ded7230da7b108e8

    SHA1

    b30b172716ed5da552f1408e07d5e8a8fa47498b

    SHA256

    8f03488916bdb23d6d4bc0dccba340308b5ddc906b28f1d707b80088060ea938

    SHA512

    4ee96bba873c055ae2b6dd9b795ed033b47ff1dde3e5cc585e4fcb0d391e623290650dbd1ad9a09a707057211b547cdcccce4da3e6b1b60158aea1bcb76a52df

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    da4bc2d0c3975c4b2dc0d668fb9ceffd

    SHA1

    27256cc1f86dee392c7e7797520feec034ef0a13

    SHA256

    5bc8e2ecfdfc32429ed60ffda9e81d7a1da820542ae64cae1d3d88184ddd9eac

    SHA512

    2d8fe492d7ec3f185d250a29c662a56ea608ed45b2f0bd5253769cc8d44b694b1188ed89fd578041e66cdd788238dd1d98fa6eeef857056fdd5d643966b5644f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    43cd9917b22ed525aeb794c93320b88a

    SHA1

    63f236e0151612f4cf5b965be965a63a38e3fc97

    SHA256

    bb3f9aefb3e27a8c931747629f6eb302a208c1a0c1a3c2490259fc94fe825801

    SHA512

    65ea3e79192c5e7df41743674809e6786d8c24238340a730271807439f1889eebe25e24dddfc4a5ab6f86fb0c54872d387a573455d89a56a38f3a8fda805098e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    2.6MB

    MD5

    f35fd5ed692e20a63f70bf2cc2039773

    SHA1

    23a752590c854f10d782d2fcd013f9d538b92afd

    SHA256

    859349992b0ab5ace0a868723b5c2f7ef96232c3e63221908a6233071b928a56

    SHA512

    8c12bfa3f096587f374a9b3946fe562a286a957f43a2c8743d3f53e7b31379807b7f458e3bd19c88bc7434b8e6017d25b89ed4414b0790f13d53e64e1e593cd3