Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 02:35
Static task
static1
Behavioral task
behavioral1
Sample
aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe
-
Size
4.0MB
-
MD5
aa1d7a0d620e26a5b372204f518530b0
-
SHA1
d752e0afdfea8c8a71bc012e031c964004251be6
-
SHA256
4a59f50b1592184d5fc8e784d4b2ebd4eba2b844fea2fe22afda0e38ab25ec5a
-
SHA512
3e67c55f9c6cf3c28da281097c099a076b14d3a876d47b74a84bcef84d0ae104fa6924890f838b37f70920c605d16c8b1e2c4b4eed37315f03672e29e4ad9d88
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpjbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe -
Executes dropped EXE 2 IoCs
pid Process 1852 locxdob.exe 4408 abodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOZ\\abodec.exe" aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid10\\dobxsys.exe" aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe 1852 locxdob.exe 1852 locxdob.exe 4408 abodec.exe 4408 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1852 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 89 PID 2020 wrote to memory of 1852 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 89 PID 2020 wrote to memory of 1852 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 89 PID 2020 wrote to memory of 4408 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 92 PID 2020 wrote to memory of 4408 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 92 PID 2020 wrote to memory of 4408 2020 aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\aa1d7a0d620e26a5b372204f518530b0_NEIKI.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1852
-
-
C:\AdobeOZ\abodec.exeC:\AdobeOZ\abodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ede40b36034d11420daf9b761d447622
SHA183e69cb72e12fd8ccd507bfa21133e1fca0fd5d7
SHA2566e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4
SHA5120fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120
-
Filesize
2.1MB
MD5e647c699a64ec64f67f457b0c20cd82d
SHA13f93f6a138e0895e8603716ac5613973f0d05bd9
SHA2566372fc6fac0735e4481dcf138579ac75ca4a8c2788339f552bc0ae9194552072
SHA512a735ac76944a983f409cb79be13b32c7c5e7baad930104eda7372f9ab06dd1ead1491c6ef1b104f5ed22b6beff7634ff73c65d9262fcc51b636202159a70faa3
-
Filesize
4.0MB
MD5e2af933394d1a195ddc7739a8760d6d0
SHA1bbf6d00ba1b0177e1e6bd58ca32d011fcb91c8b2
SHA256f96dc7b0bf6f99a435e820ba7be8fa88afd51a74b51626c527f9693b6909aab6
SHA512eb0e545b75ed30a466577349adc7867f0f838c1025cbca918badac0b287ad32e5fde97766dfaff7068a3cec2668e61a6b575c4138e910d5b7f46d4cc7e653138
-
Filesize
1.1MB
MD544c4402fba4058dd39f02f5dc489f14d
SHA17da934c158c9f0864b316b6f0a08b0b6f9357d4a
SHA256b3b911bee93020886c40108f421187473cdf0a1a71ad9f55e3183e4544d7a783
SHA5120f46d89591de28a62d6ef22626e865d0429ed0097fa0138891cb005e477711d85dbdf54720423dc07e742385140518acd3a722fea8ca0715b2a6b9380caa7fc0
-
Filesize
198B
MD5372ebd1c419bdebb052946d619d8a852
SHA14973959b22651951e3e016e527aa498481dbe9c7
SHA25690c50a69a424bfaf459ae9a80ef8c885f6104aa71bc8ea6774caaa32c4c15b5f
SHA51292cf5875ce973d5824924d48dc0467c1956e9db785b8208c3e8e9cc6ad0a42e3d26e0a3a6367e426c1919fd27203b81dc2259baad4d3c0a596df6746ec048c29
-
Filesize
166B
MD59b3674c988b2b5de0ca93c3dc50da090
SHA1c215e7d1bb4327a3688243e39a05a4be3c0853da
SHA2563f684e9642cb66bb908710ba89d97184506b4db12dcef6f582eff91bb8328e87
SHA512ffda740ec0b35b18cff741baf28d321a94a806c21cd2cb2ffa3f94ba0ea6e451290fe47a3c5799387329f1b8293b9732f07a5b157cc9d4ca3e7a4ea65f9823b9
-
Filesize
2.0MB
MD52456e825ceeedb20f71206165d49e947
SHA1890f9632fef2a6bf43a9dfd735746c09de658961
SHA256bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606
SHA512970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e
-
Filesize
1.9MB
MD5c29ca554b2d51bc91a74bba218cadf6b
SHA1e54997d90f515d594c3ace31712ab3912d6f886a
SHA25609c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab
SHA51202ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96
-
Filesize
2.2MB
MD5fd6b4f33ea00a780cb7f513a5c19a7e9
SHA13bddd840b743332ecff71c1e3424a9cd4c046050
SHA256873ad4400997602a828095159ad6e95d974996e587593c15a6ea2447b0b64e44
SHA512d5463ff2fef091b647f11e825a0a5597ecfe066cce3cc8b7991ee4437b5c6b9b921c331002ceccbc9c515c3f12a0a3c5a8fc907f9430a71c5a89c7916b954946
-
Filesize
4.0MB
MD50c939d2b0bdaf0c5d34b431255a0be86
SHA1f9c4150b85f03fd7b5187bc5413f7b4e5107d06d
SHA256210f1fc2242b4a082ab46ed7a932dcca17fcc71a7f08e39a2d51d64e3f8192db
SHA512b2f161bfcf66681aa60ab20715071e417a793e92e87f2e1a17bfc4f756aadf64ae8433e5fde5d2d40727de987e38216c241757f9158aa4b78d8370625b4dfbe6