Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 20:32
Static task
static1
Behavioral task
behavioral1
Sample
2712e52f3b219a414929957a9bada2c0_NEIKI.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2712e52f3b219a414929957a9bada2c0_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
2712e52f3b219a414929957a9bada2c0_NEIKI.exe
-
Size
2.6MB
-
MD5
2712e52f3b219a414929957a9bada2c0
-
SHA1
0ae9db08eb59a601f4022cdad77c8c5acacc97d9
-
SHA256
feb69ea1396f9fd1cf66a2f6ba2e0ee6c9ed6e96b140676157c767000e577ee4
-
SHA512
a13c1c734ea9cf430af26c1d45ed894864c40306200c96efe531eab412243cd92b8ac0ed677ce1d5ea51cd7c7e941589dbf6322e7d65606652caa3b8d5741a62
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB51B/bS:sxX7QnxrloE5dpUpA7b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 2712e52f3b219a414929957a9bada2c0_NEIKI.exe -
Executes dropped EXE 2 IoCs
pid Process 2348 locadob.exe 688 adobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZW0\\optixsys.exe" 2712e52f3b219a414929957a9bada2c0_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAZ\\adobloc.exe" 2712e52f3b219a414929957a9bada2c0_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe 2348 locadob.exe 2348 locadob.exe 688 adobloc.exe 688 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3544 wrote to memory of 2348 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 90 PID 3544 wrote to memory of 2348 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 90 PID 3544 wrote to memory of 2348 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 90 PID 3544 wrote to memory of 688 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 91 PID 3544 wrote to memory of 688 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 91 PID 3544 wrote to memory of 688 3544 2712e52f3b219a414929957a9bada2c0_NEIKI.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2712e52f3b219a414929957a9bada2c0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\2712e52f3b219a414929957a9bada2c0_NEIKI.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
C:\IntelprocAZ\adobloc.exeC:\IntelprocAZ\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5f3611b180f53e7b766446f16c0eb47e8
SHA1b0a5575b4fca6d2ca1ebf68f998124b33189a5e8
SHA256da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f
SHA51280c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1
-
Filesize
2.6MB
MD53fd82f12613ff5390b84c398b1e8fab8
SHA147faa07ec447fb3828bee7e14bdd92938f931b2e
SHA256dd1bf4569f0d04192343dde492c704bc49dc79486ec676adc070b4c5b633266d
SHA512e329e5634d8798c06240ea10c50dbef048d9794b2229047a71084ed778305d9098222dfc161cb3461188afb871190aba82fff2d0483059e7180e2f09eee5bf22
-
Filesize
430KB
MD55a27945c917543e0f7db5cf510aec55e
SHA11d962a981eb2975ae5abd88c847a9834ca0d8b9e
SHA256be49e0d9f34735e54641e9a1832717f779b983883d978d11b11e8bed62561e5a
SHA5128807d2c9784ab937f32d9b1a39445fd0ef9e762cdca5a3055e108f5fc85ba31181ee875373d3d04f9655550ebce024f23264bd6c309142e2f6e5126c5a33ed57
-
Filesize
2.6MB
MD51f43f96f3cb5c1c2ded7230da7b108e8
SHA1b30b172716ed5da552f1408e07d5e8a8fa47498b
SHA2568f03488916bdb23d6d4bc0dccba340308b5ddc906b28f1d707b80088060ea938
SHA5124ee96bba873c055ae2b6dd9b795ed033b47ff1dde3e5cc585e4fcb0d391e623290650dbd1ad9a09a707057211b547cdcccce4da3e6b1b60158aea1bcb76a52df
-
Filesize
205B
MD5da4bc2d0c3975c4b2dc0d668fb9ceffd
SHA127256cc1f86dee392c7e7797520feec034ef0a13
SHA2565bc8e2ecfdfc32429ed60ffda9e81d7a1da820542ae64cae1d3d88184ddd9eac
SHA5122d8fe492d7ec3f185d250a29c662a56ea608ed45b2f0bd5253769cc8d44b694b1188ed89fd578041e66cdd788238dd1d98fa6eeef857056fdd5d643966b5644f
-
Filesize
173B
MD543cd9917b22ed525aeb794c93320b88a
SHA163f236e0151612f4cf5b965be965a63a38e3fc97
SHA256bb3f9aefb3e27a8c931747629f6eb302a208c1a0c1a3c2490259fc94fe825801
SHA51265ea3e79192c5e7df41743674809e6786d8c24238340a730271807439f1889eebe25e24dddfc4a5ab6f86fb0c54872d387a573455d89a56a38f3a8fda805098e
-
Filesize
2.6MB
MD5f35fd5ed692e20a63f70bf2cc2039773
SHA123a752590c854f10d782d2fcd013f9d538b92afd
SHA256859349992b0ab5ace0a868723b5c2f7ef96232c3e63221908a6233071b928a56
SHA5128c12bfa3f096587f374a9b3946fe562a286a957f43a2c8743d3f53e7b31379807b7f458e3bd19c88bc7434b8e6017d25b89ed4414b0790f13d53e64e1e593cd3