Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19/05/2024, 18:47

General

  • Target

    1997c881825c86264ed07533988451e0_NeikiAnalytics.exe

  • Size

    3.9MB

  • MD5

    1997c881825c86264ed07533988451e0

  • SHA1

    0431748a6566be7050093656d089b52bcc1fe29e

  • SHA256

    7b6428e3ce81a8cee71671e15460e4c81cf1de25ca169e783a0e64e4d98b4542

  • SHA512

    3a7869eec06be58b601aee81747e8d9b95fe6f1e8c8163b53aa76c0190d5ff3c6f734a86ebd613ee63c15303483320509534ec1b3c5807d84c5a2d8387349dc6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpLbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1997c881825c86264ed07533988451e0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2548
    • C:\Files3C\xdobec.exe
      C:\Files3C\xdobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files3C\xdobec.exe

    Filesize

    35KB

    MD5

    cc8a8c17d4ad2a69bfdb225e1acb12d7

    SHA1

    f3fe42faa842706378dda35c73e8f0d268079fd5

    SHA256

    b4ef80bbc959ebd5ff2bd99911c33dca1bf95404aa1bb885a0d751acb89077c9

    SHA512

    dbbbfb251b097fb542c61c86d97b9bbaf96dbe0bb95ee239829e950aa7bebe26984e8fe99a16182e2fee3b68d128f6d18d6a36b8adce611ccd2902960b162869

  • C:\LabZ0Z\dobaec.exe

    Filesize

    3.9MB

    MD5

    f1a5b3accfa821b6641d6f06deba6541

    SHA1

    5f36a9fbd913aced75e41ae0ae455ed74f94070d

    SHA256

    9dbaa72b75346c9dd3342797d8727953bff3f9afc9ef86d4ccccb3d5445fbc6d

    SHA512

    f63785eabf171fcec48268d0472063d5a87bc1ec429883cb316079ec09ca62520c0678ca584cb6967cdf863b5a8585898652293ce624ffc13598cf2c639361c6

  • C:\LabZ0Z\dobaec.exe

    Filesize

    3.9MB

    MD5

    dd35e5bc9154996288f73c15c81b55b0

    SHA1

    5d0991dc3d2ff3f7c364bddb4bd9b0fd1111da33

    SHA256

    e95c87a9af1709b96046f7e9248de4c88a739b5db4b975c37744196709fdb814

    SHA512

    baf7ce74d82544a8b8079afd027e3352666b2efcae4092d7b82a67d52492227f57c893a9336648395f835953ce3888d6bba532e33535761a266695685439a16f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    167B

    MD5

    ebcadf8777b95d3c573b3fa23d3a7fb4

    SHA1

    51f70483f75992159703791dfb3cdf907cbc6178

    SHA256

    accb63f39eec56cf63b88e36a2b3dffa523cb77f8e8be562f35ae7b77afab9b8

    SHA512

    f282bac73223830c5f3631ed23a63264bdbd8419dff30f941f0efdfbbb819d00c1867d73db5a1a5c22e3bdbae8b21061e733ea9e64fd7c751d0bad9e63aed502

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    199B

    MD5

    f1cf48b36af83a332b8d96ae8b31bd1a

    SHA1

    5c82871aad52ad89e87c955db5b61532e7918930

    SHA256

    be5318c9da708a6d97e78b0b595a436768cbaecab559ae6e5f609cfa27ed6d65

    SHA512

    470f591849a89d50d42e699b95aab631c2a906b54959de3882f35dbd88a728ffe7e3b14b8e9d08f5444eee26f26300a624565eb7f9f3a0b1690a666aaa203fb7

  • \Files3C\xdobec.exe

    Filesize

    3.9MB

    MD5

    1b867c29ab0d5bbb38af47fd3c4e2c72

    SHA1

    ce0a467c57bb59757be63a2806f335211a7d1abb

    SHA256

    a1120a3c35aac683dabef745400842f328b640593467dcadf4ffc1162f1ee68a

    SHA512

    7be9b304a8e32624bda31c7a0d8bbad2a8763d1c73e2924874461322f3100640a375f63e03f0a0e85660ce9672ead00ffa602bd26a108300f3442576b42a3ad4

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    3.9MB

    MD5

    111502b258e17e5b0d2794a362c8ad3e

    SHA1

    0b27a80f3eb3e5c0f255e32f1063e8ede6624729

    SHA256

    44e90d2f56245636ec030290144c75fbda62eddc03bd75e70958f3bde504813e

    SHA512

    1ac6b3cf9d0dc91ce62cd763bb51e5db17ee1bfb5c93aab1447ccac7c99e5b2c4ecb28e85332e5471b7d7fdbfdab6bbaa2ab48d741c2b581198ff7c487c1a437