Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 09:01

General

  • Target

    3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe

  • Size

    4.1MB

  • MD5

    3a26230f5ced7430f4e21c14aa71a200

  • SHA1

    f55a90ee18222475e28993254a7a03337dfd7438

  • SHA256

    b05d4ea10eb6c4283ced396fa75a8d456158de02b70bbab5504c691fc0fd121f

  • SHA512

    6e4aab2230a84ecae2fa93ffccfed5110e8ffa304305c9880cb8a5fe05e7f943401df08c89f613b8e680ab51c267d0773c0cfb25a2a0976dbf9ee84f11e65b85

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1724
    • C:\SysDrvKG\devbodec.exe
      C:\SysDrvKG\devbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintBQ\dobaec.exe

    Filesize

    4.1MB

    MD5

    e7948d9195c7e01ccd8f297b2467b796

    SHA1

    e55fca4c517727193491b0f5e5f1ea5c5ac45c10

    SHA256

    bdb4495367e68d4121f76a20e905af824e043eb7a14ecf2be35a690d05cfee43

    SHA512

    33b423ce61f0a21eaa95442042e55022879551b217eebe2b045c648b091592ea7e220ce7d1a5250a6cd85eb35d334a9fa2ef0701716767810e7896caa9395d5b

  • C:\MintBQ\dobaec.exe

    Filesize

    4.1MB

    MD5

    1aecd214379dc8280383ac51e546cbe9

    SHA1

    f8aac5ee656b61323d5239cc222b185f5b921292

    SHA256

    2bcbfb0f953629e9e19c85f022a61c9d15929ca2a23324978f7a4088b02dfb0f

    SHA512

    6bc5f9e12894454c94e8f5e26839ce3a34dc5a8f392eff9c9c1692bc28172dabca6c928732e45cceaff7d3bd93bba22f5b30cc8f1f3af557f985b43dda3755e0

  • C:\SysDrvKG\devbodec.exe

    Filesize

    4.1MB

    MD5

    2d50c6561de6b225742ed32cebe4bd62

    SHA1

    fdf64a1be951a9db8ef7b6127c04def4cbc4a3d0

    SHA256

    098c8bb243c31def1330c0e159883b92b13b246c7bb1f05f5b6b10249edd7bdd

    SHA512

    c9bb34ebabcafde2b44a75b8db67214b19179ab4e4a24e28e0f5c692fece72a9eeec9adda383b9453cb66a58fb29739d44ebb0ab8911bd98353253ae1a82f1d4

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    2b5d8d6cdc800372c90a535cdd2c90a7

    SHA1

    b23d4ab6f2544566441bd54ce649c51daca96ec0

    SHA256

    3534bac621cfaabd9abbb6cfe631104966fada14c7c76badcceaed94bc8a8f34

    SHA512

    45349a960b9796063a9ac79a381f2e649076c63a18e3b8c285eebebcab7323a4a58e7668eeeb29cacb404d35b85b6d3062a9505babe9088ccf8d7be72e9e999e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    bd674f9a9bbf1c4fc804c936962e730b

    SHA1

    86bc414a26495ee0c14c2fc5007296e0c6d19c52

    SHA256

    d26578129a34d600af2960c1cf10f939ef3b27a1195e9dd1fbc50ab81a9cc57f

    SHA512

    b63a5fb685176bb8016998b4fc0cc042c273cc9f421042832c957bc4c03f2ab4263458fa50f500287aeae0420049cb779c04ff8d66af2e683ee19beaa95b11d2

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    4.1MB

    MD5

    529edbbe09bac7a3ae276af4ef0c0731

    SHA1

    0d10c74e731a3330a0f9181b37dde3542f3dc3e0

    SHA256

    a3f4993ba4a6cb5c4278c7e1e1b6f45b8d9bec4b8833bf5c2ac0d247c937a2f8

    SHA512

    0943ab18a88a2a8562e361adaf7a41daf9f4313d742feb3dafd6051036a3561c73d8f07543f3574ef23eaca9a52e7c812c825cba9da75a79f4d7862222dda49f