Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 00:08
Static task
static1
Behavioral task
behavioral1
Sample
72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe
-
Size
4.0MB
-
MD5
72fd6e866a4b053c05123393dd6fcae0
-
SHA1
c914dd795c00507039d5e7527e893c8008d0c0d3
-
SHA256
122206905a59e09641f7da160b560adeb1dba86878af315b65de07fae12b8331
-
SHA512
3fdaed3acf28795f0fe80b5af203dde3b375596a292d6e1161d1313a3aaedc80fcc4a99e35a392ae1116294b1eee63be41aba2fe9b558df66e62b7d1b25d61dd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpQbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe -
Executes dropped EXE 2 IoCs
pid Process 3324 sysxdob.exe 3356 devoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc3R\\devoptisys.exe" 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintB6\\optidevloc.exe" 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe 3324 sysxdob.exe 3324 sysxdob.exe 3356 devoptisys.exe 3356 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1520 wrote to memory of 3324 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 94 PID 1520 wrote to memory of 3324 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 94 PID 1520 wrote to memory of 3324 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 94 PID 1520 wrote to memory of 3356 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 95 PID 1520 wrote to memory of 3356 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 95 PID 1520 wrote to memory of 3356 1520 72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\72fd6e866a4b053c05123393dd6fcae0_NEIKI.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3324
-
-
C:\Intelproc3R\devoptisys.exeC:\Intelproc3R\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5b199733b4aa5b07f0d1b8ac9d0bd540c
SHA1103bffc31834e2c0964c9d583c01c12f3e2f8230
SHA256797bee3c30b5624e44eb9c89ebefaa79243eddd302d114284a321022434b2414
SHA51280788892ca233a4e0165f2ef816f6de49c9903768f84475bd94b725d4f0029153d9443861d6b59e9bd84b9793fd947f21046a42d013d9e00879a367723a62e94
-
Filesize
3.6MB
MD57b53db4ef28b2fa4e4becbb6fe98e0cb
SHA16225a9c8acf89c59356cf09948cf6f2d63d69255
SHA2565708fe7d248e196a335863491c878b2e2db356264e8ab45a6f8cf33ebb9d7c04
SHA51217061c379ebcc025640479833a4ee95993e7da1f1c3d1eecea71c5f7fbdc0538dd31967963c5b5c7294db42682321e6ef03f16660b9c0725d50b57f7c4152e67
-
Filesize
15KB
MD5baebd565738a73b1785d23f85b9b1880
SHA13e776227196d9cbee3a9edf120876f20e6af105e
SHA256d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7
SHA5123bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0
-
Filesize
210B
MD583fc7a7daaa11a50ee4670baa53174a3
SHA12861176bd8d80e90c5057c17c1cecdad28ba0fc2
SHA256052cfade5e7f3b8b400473938f9b3fbb0b89dbe5a083d8dd7880f1670e89981c
SHA5128a3250ba56d752ff20c68f9e322e55fca381497a65da4a10a80b9ab1c45e7da4ca1c54580d203a5efdb9b0cce571ef8245a0eb3b66f37d45b836485f38a3fe5c
-
Filesize
178B
MD5deb663d9c10d1e7abe967e1b10604db7
SHA15d7060f90d7435b7cb4b12c9dc63c64b65a6ac83
SHA256cccfae9373c0ab8ed50535e32b869da70cc8c005664d5ea59491a3470ab8d2bb
SHA512eb2588fd35e778cd0739369c2653fc5158627f119636c887f5aed23425ff4da0032493a466a338e084bd1ecd390eb5e1c9620f22d57ff504b451769c1bd8e05e
-
Filesize
4.0MB
MD5e5f888ea99b11d68f92a6dbec2050db4
SHA1261fc972a2b7d1608fc038722359435c3adec996
SHA256afd8c650b360fd65f6ebc0803c2c9cae4478027aaea3fd98477d7d9d2428a28f
SHA5120a33d817e399f9462f888752a2de95c7187fb1b8d0aa1829c1ee9a2c1e57d70e4c8b1ce270be1f777c2866f5fbcb46118919b967c81aae806680ae1c132865ee