Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 09:01
Static task
static1
Behavioral task
behavioral1
Sample
3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe
-
Size
4.1MB
-
MD5
3a26230f5ced7430f4e21c14aa71a200
-
SHA1
f55a90ee18222475e28993254a7a03337dfd7438
-
SHA256
b05d4ea10eb6c4283ced396fa75a8d456158de02b70bbab5504c691fc0fd121f
-
SHA512
6e4aab2230a84ecae2fa93ffccfed5110e8ffa304305c9880cb8a5fe05e7f943401df08c89f613b8e680ab51c267d0773c0cfb25a2a0976dbf9ee84f11e65b85
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe -
Executes dropped EXE 2 IoCs
pid Process 4940 sysxopti.exe 1180 devdobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOU\\devdobloc.exe" 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPG\\bodxec.exe" 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe 4940 sysxopti.exe 4940 sysxopti.exe 1180 devdobloc.exe 1180 devdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 808 wrote to memory of 4940 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 92 PID 808 wrote to memory of 4940 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 92 PID 808 wrote to memory of 4940 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 92 PID 808 wrote to memory of 1180 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 94 PID 808 wrote to memory of 1180 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 94 PID 808 wrote to memory of 1180 808 3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\3a26230f5ced7430f4e21c14aa71a200_NEIKI.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4940
-
-
C:\AdobeOU\devdobloc.exeC:\AdobeOU\devdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5fe960c4686df1b7b7c6a3bf17e050030
SHA16b5324153bf4aafbded07a91864ac4d2bc55bb4a
SHA2561ecd0481992c422ff54b358777c1b93efe5f6daec1285d9e0a8f22c6ec5ae96d
SHA512dcf7fe29662dfbc2fb150d3c81f9f28444fcaba97aebc3f9d094ea06f3f2682b6056d662439722f9c28d5856392e68c09d5c1a7bc1ffe011fc256daf0f62f250
-
Filesize
4.1MB
MD5ca125248ac5faaca9670bfd680631d38
SHA1db92f0dc27b417bcded5bf8ab46741516e4cfb0a
SHA25643d52c37ddbfe6cb4d63cb2df164807e9784811f7817d195ef1c1f539dab6a11
SHA51290447342de93f2d8aee23fdc06f3d90d94fe9bad2be66cab053d61033461725e09fb1abe919bc46956386a6991b695a49d2264ec0a1822371ad643ed3630f803
-
Filesize
768B
MD5e774f7cc8e37fa166ef18ab0a9d60e16
SHA14f77bd3e512d5c12146e7f35e7b5be0d4b3a7e02
SHA256e08f08f119187de09e0eb330f47bdacab8845a072489dac413bc443bf7bef16d
SHA5122dd43695435871a25ff809c6279e5acbd0310ef0104f68ae01a2cacae71f5075c76cc04881d84790189cb7418f3494019a67bf7e283cd1d9a3fb0faaa406918e
-
Filesize
4.1MB
MD58dfc47f155261bc23477ce09f0cc86e9
SHA18838ecab10f21a31b324a0a14328f7e98df06c9f
SHA256d3161c0b70615187e403cb92f689af2b42242589fded1b4e2735b4c150e588f6
SHA5125c4ea16965f99d15b9326f278a41a9bf27c77631e28fef00062557c6703e4a9cced7bb428b1192dce5d54ab1414edefcdd8959999541e49cfb92f533e9ab585e
-
Filesize
202B
MD55521bb4bf79301bac32581e895ede7b0
SHA111bc09552814be908607a3196d07f61ac56c789e
SHA2565c5e5dc369401e00ba716207f4ae6a0f89165919f7bae1ae4e614de983b29200
SHA512994a18dc78fd7883c1176236488310d089fc79d291da807db4c89ea23ee20626f515eb5080434740bccc8b7d333b5cc91ef383707506285b8d2879ae0da22cac
-
Filesize
170B
MD5492a69c691325ff246c1ad5b392897ec
SHA1aed0b2c6e07cf4282781fc24e1043f3173d72f80
SHA25613bf73b70aef48ba6eb0ec01b1fc1db37c71df67040c1561b447753a4003f1bb
SHA512cf6aa1c7a5ba622d069ee606ef5077924e61a26445b1a1d491bba885316477f715fd064b322739cd0be8247075d7c97c9e4c120a226c53d9915c4b10f776f880
-
Filesize
4.1MB
MD53d243e491ba194d9266db8e0bf4da139
SHA1b5c42395f846d023229c3f9b567d4e793ca3b52e
SHA2568d8e9019471a2105b7f6beb8e86ff30286d2fcf9ee5f663ebaa103bf49f49895
SHA512f02c119ecf8c73d7250fc5b608e5e6bb58da9873e7cf3f99638b4ebdcc10553a1e8c1fc102e7bbfa5f25aced880e9662c07fe727e8ff972f0b4fbae8741c3922