Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 00:08
Static task
static1
Behavioral task
behavioral1
Sample
72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
-
Size
4.0MB
-
MD5
72fd6e866a4b053c05123393dd6fcae0
-
SHA1
c914dd795c00507039d5e7527e893c8008d0c0d3
-
SHA256
122206905a59e09641f7da160b560adeb1dba86878af315b65de07fae12b8331
-
SHA512
3fdaed3acf28795f0fe80b5af203dde3b375596a292d6e1161d1313a3aaedc80fcc4a99e35a392ae1116294b1eee63be41aba2fe9b558df66e62b7d1b25d61dd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpQbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe -
Executes dropped EXE 3 IoCs
pid Process 2608 locxdob.exe 2696 devbodloc.exe 2676 devbodloc.exe -
Loads dropped DLL 3 IoCs
pid Process 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 2608 locxdob.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSM\\devbodloc.exe" 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3V\\optidevec.exe" 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 2608 locxdob.exe 2608 locxdob.exe 2696 devbodloc.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe 2608 locxdob.exe 2676 devbodloc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2608 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 28 PID 1760 wrote to memory of 2608 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 28 PID 1760 wrote to memory of 2608 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 28 PID 1760 wrote to memory of 2608 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 28 PID 2608 wrote to memory of 2696 2608 locxdob.exe 30 PID 2608 wrote to memory of 2696 2608 locxdob.exe 30 PID 2608 wrote to memory of 2696 2608 locxdob.exe 30 PID 2608 wrote to memory of 2696 2608 locxdob.exe 30 PID 1760 wrote to memory of 2676 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 29 PID 1760 wrote to memory of 2676 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 29 PID 1760 wrote to memory of 2676 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 29 PID 1760 wrote to memory of 2676 1760 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\FilesSM\devbodloc.exeC:\FilesSM\devbodloc.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
-
C:\FilesSM\devbodloc.exeC:\FilesSM\devbodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5536a605c77c8f758ef1f4e0c74557640
SHA1897fa8f627f54ac8c94f5b2cfafccac8fd2f80af
SHA256a758329886c6a98ca33f793637930ff871f6c6bca1be70222263049798c248f0
SHA5122a4406a9e5a46557861f1b830ee16d5cd45d7cda9f781606924798fe66ee4af4fe23995da0650506749b77c86c109a9a30d6bf2dbeca2f50bcc3eb078bc36355
-
Filesize
4.0MB
MD5d89a94cdbd1d6a3d59b8d87427b8fc34
SHA1fb3b80693c2dbb00e5a6ba8cffa9f5a97cfcf0fb
SHA25647d93c053b2857505b3f61aaba4585529fa05605e11bce9f3a4322d595ef6216
SHA5128c5e11b76a49dbc4b87a61c62a9c0780132737fe946685d7a2a25017ac84c8af0505b73b9c207523208157f3b54f31e08870c81e78d221660b44e2ffd750e6f1
-
Filesize
4.0MB
MD5b6ed1409eaf1e11a0508dde38123c63b
SHA175e74575a58e961ab68c57b633c69b357af61f6b
SHA2562ce3e8b920a7bd0e3c69f093722c97b748cb1771c0d64bbafbf372a28b583f4b
SHA5120176f226bd1e92878f7d7cf1e6e8eae365455bbe5163da2f8fd96bc870891bd3057c4d4c388db8ca6b72df912c2577c79cdec9dfce7c8cc782c003b28bfffd4f
-
Filesize
172B
MD5dfcc7d9457814253bbafcc1788313c4c
SHA170a80a73b329f4c588e8b64b4f15f1f0e6921345
SHA2561f860be5f295834446b5c93982e25f2e324ebfd6af36b38d299b358661e8aefd
SHA5125ae8e07e2a03f9594b592370970ee5f82f9537460925858837027d5fceece0714e3e002a28dc5b07b935e462d756f886951486f0f5aaa1e48f8c48d33daeb270
-
Filesize
204B
MD5ed22aca4560879d84b79671980055814
SHA1b3873cde43dd082603035959a0fcebb0598097d1
SHA256388c5f74e669d7ad25c7a16af9510dfc72be8f7a7501871be74e9259141093f1
SHA51235ce95d5aa1862c53b636f2d58c5ba23cac1a61c0efe5e5ba1f4efdd5e9141f3e6f1c4a3ae98f7a28d654979f0a757a0ef58b9facf0fb1134fbed694d0dba0d5
-
Filesize
4.0MB
MD5e15e19733ffa9ccece1a9e05cb2028c6
SHA1ff8b6092625b0bac896d2a9c6fc6a3f0f13406b5
SHA25618c146525ce32d43a462353c5e8630a1aacc88794099ae95649620bae1a67fe1
SHA512e017507cb12da020611d84d03cd08b6133681d1a5433391faf2ec39e0d36a08b360b659cffbbe3da124792d3b0b4628e963f4662719a06cac45c9b8fa297d280