Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

98a905235a...KI.exe

windows7-x64

7

98a905235a...KI.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98a905235a42d7c38fcf83580d259360_NEIKI.exe

  • Size

    2.6MB

  • MD5

    98a905235a42d7c38fcf83580d259360

  • SHA1

    3fd557d3049675e9f676b02b0d0e81eb2792dace

  • SHA256

    b59b8f04ac20aa3b9a374e37d1d956837ad8f99349c09c54619b19041a05c5c9

  • SHA512

    eb115a105ef725f807c977146dd39dcf5d287b3b77978c36222573dcb26a22fe044c74ba5a4c626e4fc31dd46da07791630326a8c909862355f98d5d97aee0f3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bS:sxX7QnxrloE5dpUpwb

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98a905235a42d7c38fcf83580d259360_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\98a905235a42d7c38fcf83580d259360_NEIKI.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2936
    • C:\AdobeSU\abodloc.exe
      C:\AdobeSU\abodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeSU\abodloc.exe
    Filesize

    2.6MB

    MD5

    d997f0fcac846b72b66b7ec3276a0eb0

    SHA1

    44ef750ce9f1bc920ee5e3974b20439c47b25f23

    SHA256

    756500e116dfe7b87885bf887a7d68976a7f7476d07d99e2c1bd3ef62f2c25d9

    SHA512

    0154889c32ff0f2243d2f1c165b36278fed32d6849c78ae9cc3865fd6e5c6e2848d9f5a859b24ba52fba07b52e771213383abc891a0f7d0db680486f5114fffc

    Download Submit

  • C:\KaVB2C\optidevsys.exe
    Filesize

    15KB

    MD5

    10e6df3619bbbd1a2464d5000a56fbb5

    SHA1

    9080f324c059847c04fbc434d62d8ab2e06140a9

    SHA256

    e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

    SHA512

    9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

    Download Submit

  • C:\KaVB2C\optidevsys.exe
    Filesize

    2.6MB

    MD5

    73807f78ce2b9d670923751dc92043a1

    SHA1

    14895075d4e4027a7260b715e71a4bbdaeb51110

    SHA256

    49084419ca348b0bea8385c18880300c3c1b519a465195ee0ad589c7761b819e

    SHA512

    37f53c9aef450482776d1e7d48094008fb2d61661becff2d87527bd62cd95ed1654c1e9b288200195090b0490e55188e19f3e1bfff2215e59ece218092ff32a2

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    171B

    MD5

    a5ab352b6a8cd2d832c400fe14f5f860

    SHA1

    b489749a5de861fe405ba79b9ead71493002ac93

    SHA256

    e376af06126f4e610201837747bf699dd4596cc66fc1ab15454f3c1842da4018

    SHA512

    bb450afdab912610e2b41baeb9e3018ffeb3fb3b4ec17a90d7d82b1c6c9ccbb49eeb1ec1eac26940db7261ea14c37e170e291ef8f56aa6c34172dd878032d172

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    203B

    MD5

    43a500c5496c4006293d17f69f04a4c3

    SHA1

    05af026709cfbf0db5f6db5a29bc645fdb2ed510

    SHA256

    5e087974ea7722d844f8d6057417329d4c4c37f39b4745ce5adca833d20144d0

    SHA512

    ffbf8adf3788dbd1fadf80d89d1ce03364887c673173a63effc5a5593e76780d4c4d79f9a682d2b6407600a308302452cd2b1d082c9d01ee94502bdcdb11c6dd

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
    Filesize

    2.6MB

    MD5

    b5142f608206396793b510d1401717f2

    SHA1

    eb5e1b450a0584c04343bd2329220baadd541c19

    SHA256

    29088a9d66bf0a02e8655eeddf167b794a742c330e1c5b464a13cc61888f4289

    SHA512

    7224a21b7a4184666479a5e47b3d5edc13f5d4953b810a140499bc7c971b802999b060f8073444fe61e3b437bffb7417598e1179b15bd0e5d6d15a1c22a4a6d4

    Download Submit