Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 00:08

General

  • Target

    72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe

  • Size

    4.0MB

  • MD5

    72fd6e866a4b053c05123393dd6fcae0

  • SHA1

    c914dd795c00507039d5e7527e893c8008d0c0d3

  • SHA256

    122206905a59e09641f7da160b560adeb1dba86878af315b65de07fae12b8331

  • SHA512

    3fdaed3acf28795f0fe80b5af203dde3b375596a292d6e1161d1313a3aaedc80fcc4a99e35a392ae1116294b1eee63be41aba2fe9b558df66e62b7d1b25d61dd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpQbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\FilesSM\devbodloc.exe
        C:\FilesSM\devbodloc.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2696
    • C:\FilesSM\devbodloc.exe
      C:\FilesSM\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesSM\devbodloc.exe

    Filesize

    4.0MB

    MD5

    536a605c77c8f758ef1f4e0c74557640

    SHA1

    897fa8f627f54ac8c94f5b2cfafccac8fd2f80af

    SHA256

    a758329886c6a98ca33f793637930ff871f6c6bca1be70222263049798c248f0

    SHA512

    2a4406a9e5a46557861f1b830ee16d5cd45d7cda9f781606924798fe66ee4af4fe23995da0650506749b77c86c109a9a30d6bf2dbeca2f50bcc3eb078bc36355

  • C:\LabZ3V\optidevec.exe

    Filesize

    4.0MB

    MD5

    d89a94cdbd1d6a3d59b8d87427b8fc34

    SHA1

    fb3b80693c2dbb00e5a6ba8cffa9f5a97cfcf0fb

    SHA256

    47d93c053b2857505b3f61aaba4585529fa05605e11bce9f3a4322d595ef6216

    SHA512

    8c5e11b76a49dbc4b87a61c62a9c0780132737fe946685d7a2a25017ac84c8af0505b73b9c207523208157f3b54f31e08870c81e78d221660b44e2ffd750e6f1

  • C:\LabZ3V\optidevec.exe

    Filesize

    4.0MB

    MD5

    b6ed1409eaf1e11a0508dde38123c63b

    SHA1

    75e74575a58e961ab68c57b633c69b357af61f6b

    SHA256

    2ce3e8b920a7bd0e3c69f093722c97b748cb1771c0d64bbafbf372a28b583f4b

    SHA512

    0176f226bd1e92878f7d7cf1e6e8eae365455bbe5163da2f8fd96bc870891bd3057c4d4c388db8ca6b72df912c2577c79cdec9dfce7c8cc782c003b28bfffd4f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    dfcc7d9457814253bbafcc1788313c4c

    SHA1

    70a80a73b329f4c588e8b64b4f15f1f0e6921345

    SHA256

    1f860be5f295834446b5c93982e25f2e324ebfd6af36b38d299b358661e8aefd

    SHA512

    5ae8e07e2a03f9594b592370970ee5f82f9537460925858837027d5fceece0714e3e002a28dc5b07b935e462d756f886951486f0f5aaa1e48f8c48d33daeb270

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    ed22aca4560879d84b79671980055814

    SHA1

    b3873cde43dd082603035959a0fcebb0598097d1

    SHA256

    388c5f74e669d7ad25c7a16af9510dfc72be8f7a7501871be74e9259141093f1

    SHA512

    35ce95d5aa1862c53b636f2d58c5ba23cac1a61c0efe5e5ba1f4efdd5e9141f3e6f1c4a3ae98f7a28d654979f0a757a0ef58b9facf0fb1134fbed694d0dba0d5

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    4.0MB

    MD5

    e15e19733ffa9ccece1a9e05cb2028c6

    SHA1

    ff8b6092625b0bac896d2a9c6fc6a3f0f13406b5

    SHA256

    18c146525ce32d43a462353c5e8630a1aacc88794099ae95649620bae1a67fe1

    SHA512

    e017507cb12da020611d84d03cd08b6133681d1a5433391faf2ec39e0d36a08b360b659cffbbe3da124792d3b0b4628e963f4662719a06cac45c9b8fa297d280