Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2024, 18:47

General

  • Target

    1997c881825c86264ed07533988451e0_NeikiAnalytics.exe

  • Size

    3.9MB

  • MD5

    1997c881825c86264ed07533988451e0

  • SHA1

    0431748a6566be7050093656d089b52bcc1fe29e

  • SHA256

    7b6428e3ce81a8cee71671e15460e4c81cf1de25ca169e783a0e64e4d98b4542

  • SHA512

    3a7869eec06be58b601aee81747e8d9b95fe6f1e8c8163b53aa76c0190d5ff3c6f734a86ebd613ee63c15303483320509534ec1b3c5807d84c5a2d8387349dc6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpLbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1997c881825c86264ed07533988451e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1997c881825c86264ed07533988451e0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:320
    • C:\SysDrvKR\devbodsys.exe
      C:\SysDrvKR\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVB1V\dobxec.exe

    Filesize

    235KB

    MD5

    3c8daeed46de984068f9289ad11b3799

    SHA1

    96c9c808883acb5fde8c8098b0bca2cd2cade89d

    SHA256

    2e2607c40536e09e9aee0033698ab7600e384af13e3cdd9c359200efc7206c0f

    SHA512

    ebffeb6cfe516efc579abcd514bc2ad9f71b995687d9885b21067d847f0f31a1276349c40fca4e042121a53eac04fa94df0315d3af615620223c6c1f2f6f2cb1

  • C:\KaVB1V\dobxec.exe

    Filesize

    3.9MB

    MD5

    acf81680624edb0498de6a8e2b62ffe8

    SHA1

    c844a560de00e9c35be4bd10ec597dd455f16680

    SHA256

    8a96b452360da53b53c640df3f77a81d3d0f9ec950f4a3db6dd8504aaaa15605

    SHA512

    430a0614ff3f308bbc1f791b571d689f82711e75905f49e2d6a475371befb592aa381c67764b49aa6535199026e810a974781ac25ed82610e0f6167fdc898a32

  • C:\SysDrvKR\devbodsys.exe

    Filesize

    3.9MB

    MD5

    526ed7111967fcff9f3fc8c6ec963654

    SHA1

    8e40b6464fdb28aaae27c736ba60f9f96589b5c7

    SHA256

    afa530cfbff368a9dc20028cf9ec2d595761d0cb2b155c401bccc4e6417a5358

    SHA512

    e4c011a64cbfe8f5d05ae5ae9b6c10fb7335ffebc5b6b68d3b1366858bf0da0e303c8802d1ee7aa39dde724a85a56c301afc29c39d7b534065ac8a139da01328

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    702d21b16a67c695805d01c5b7a195d4

    SHA1

    196c02d38303409bcdb945e7a54e9742a092c53b

    SHA256

    851c197c194f074fd608174b29823a5f5bbcbdb9706235d17191b1d58d6d490e

    SHA512

    8414c989b2b8e6dce462acc7fe302a73803868d3cefe0915352129ee33bfdf0054a0b9b832146503dc894dedd18a26a244fed17b63425673f3cf9e120342920f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    b7519cf0ac56015dc9c1ae18bb40f892

    SHA1

    dea8696ee41c16cd8a8bfa6ce8ab46ffbf6ee651

    SHA256

    0005a8acfc16701da79eeb99ff52ad2547546e86a4f4136702a4dca90ab97978

    SHA512

    dfb83875ed59fa1aa14b60f68349a9ffca5dc431e55cbd61edb0ae594c5d137f2658fac6702051dec70a38b84dec380254de5cfb67266daec7c1fb6fc7529bc3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    3.9MB

    MD5

    94b572355c266730f48edf31af279bca

    SHA1

    62a3d84586fff3e03e14856005fd55d173f12e4a

    SHA256

    76fdf436c3463496ad6a9a1cc437bffe19a83338c564874e5e2ef5f98ba83d60

    SHA512

    725cf0a1082fc72404b87351d6510f54f9abd7a9a14deaffa5da126b0277be7d930f779e574f6051609960537be241ea990fb9ac9821879edf64d1f9f361c702