Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 00:08

General

  • Target

    72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe

  • Size

    4.0MB

  • MD5

    72fd6e866a4b053c05123393dd6fcae0

  • SHA1

    c914dd795c00507039d5e7527e893c8008d0c0d3

  • SHA256

    122206905a59e09641f7da160b560adeb1dba86878af315b65de07fae12b8331

  • SHA512

    3fdaed3acf28795f0fe80b5af203dde3b375596a292d6e1161d1313a3aaedc80fcc4a99e35a392ae1116294b1eee63be41aba2fe9b558df66e62b7d1b25d61dd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpQbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3324
    • C:\Intelproc3R\devoptisys.exe
      C:\Intelproc3R\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc3R\devoptisys.exe

    Filesize

    4.0MB

    MD5

    b199733b4aa5b07f0d1b8ac9d0bd540c

    SHA1

    103bffc31834e2c0964c9d583c01c12f3e2f8230

    SHA256

    797bee3c30b5624e44eb9c89ebefaa79243eddd302d114284a321022434b2414

    SHA512

    80788892ca233a4e0165f2ef816f6de49c9903768f84475bd94b725d4f0029153d9443861d6b59e9bd84b9793fd947f21046a42d013d9e00879a367723a62e94

  • C:\MintB6\optidevloc.exe

    Filesize

    3.6MB

    MD5

    7b53db4ef28b2fa4e4becbb6fe98e0cb

    SHA1

    6225a9c8acf89c59356cf09948cf6f2d63d69255

    SHA256

    5708fe7d248e196a335863491c878b2e2db356264e8ab45a6f8cf33ebb9d7c04

    SHA512

    17061c379ebcc025640479833a4ee95993e7da1f1c3d1eecea71c5f7fbdc0538dd31967963c5b5c7294db42682321e6ef03f16660b9c0725d50b57f7c4152e67

  • C:\MintB6\optidevloc.exe

    Filesize

    15KB

    MD5

    baebd565738a73b1785d23f85b9b1880

    SHA1

    3e776227196d9cbee3a9edf120876f20e6af105e

    SHA256

    d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7

    SHA512

    3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    210B

    MD5

    83fc7a7daaa11a50ee4670baa53174a3

    SHA1

    2861176bd8d80e90c5057c17c1cecdad28ba0fc2

    SHA256

    052cfade5e7f3b8b400473938f9b3fbb0b89dbe5a083d8dd7880f1670e89981c

    SHA512

    8a3250ba56d752ff20c68f9e322e55fca381497a65da4a10a80b9ab1c45e7da4ca1c54580d203a5efdb9b0cce571ef8245a0eb3b66f37d45b836485f38a3fe5c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    178B

    MD5

    deb663d9c10d1e7abe967e1b10604db7

    SHA1

    5d7060f90d7435b7cb4b12c9dc63c64b65a6ac83

    SHA256

    cccfae9373c0ab8ed50535e32b869da70cc8c005664d5ea59491a3470ab8d2bb

    SHA512

    eb2588fd35e778cd0739369c2653fc5158627f119636c887f5aed23425ff4da0032493a466a338e084bd1ecd390eb5e1c9620f22d57ff504b451769c1bd8e05e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

    Filesize

    4.0MB

    MD5

    e5f888ea99b11d68f92a6dbec2050db4

    SHA1

    261fc972a2b7d1608fc038722359435c3adec996

    SHA256

    afd8c650b360fd65f6ebc0803c2c9cae4478027aaea3fd98477d7d9d2428a28f

    SHA512

    0a33d817e399f9462f888752a2de95c7187fb1b8d0aa1829c1ee9a2c1e57d70e4c8b1ce270be1f777c2866f5fbcb46118919b967c81aae806680ae1c132865ee