Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 03:45

General

  • Target

    a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe

  • Size

    3.9MB

  • MD5

    a6db96aef9150433481995726b09b8a0

  • SHA1

    670f4bc6abfaf8b7b1588d8ca553a5d2f5018e5b

  • SHA256

    f1aa412967081cd47d2bc2ac0a73ce267d3b26f7a906057175cdd68797f34d16

  • SHA512

    58f6451eba42d242a876668b0939d564db44a57b21ee6f2dafae552f377f4a1daee4058e0959576db12d2fb4f451cc249ea649518482d49639d4322e74507be3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8:sxX7QnxrloE5dpUpbbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2984
    • C:\UserDotPJ\devoptiec.exe
      C:\UserDotPJ\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax4I\bodxloc.exe

    Filesize

    15KB

    MD5

    10e6df3619bbbd1a2464d5000a56fbb5

    SHA1

    9080f324c059847c04fbc434d62d8ab2e06140a9

    SHA256

    e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

    SHA512

    9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

  • C:\Galax4I\bodxloc.exe

    Filesize

    3.9MB

    MD5

    f002a266b390177af589bde294600d6a

    SHA1

    470b35bc9141281fc6ac42f4217bf86569cfd18a

    SHA256

    41e2e4a85766c22b9877e5c2dd85f04ff56d57115b5597df0956d62fa41c3d04

    SHA512

    9a37e3b8ab8eab1aae813b4d5a33c476ea4bcb52447bd5729e7632a996b2774409a37a00758f8b8e6b6f7846e9e057bbecebc6b2ecc63b90be6eb29bcb114636

  • C:\UserDotPJ\devoptiec.exe

    Filesize

    3.9MB

    MD5

    14ff2e1a32eaba9106c4787082ceed44

    SHA1

    678f82211cc1c75a32cc6d7a4084d6d20c488877

    SHA256

    f98a6ed62082e369c1f7c3e87667031da2cd5357a65ad1137494c4b68d21091a

    SHA512

    5c369277a195baee3c080c09d78e28d455142150c8071733b19a6beecf41debcfc1408dc89a626ab394dc32b25fb0fdba79f1dfdc260c9f6048a9e5140bb90f2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    217ff6fb1ab7e2c27ccfba0731ae7396

    SHA1

    04f6b685e4e6d08fbe8b7c1575d6fa918e999073

    SHA256

    5f23cf645fbcb23bbb364ee70e5ec78b48efbe8f234961d4c189072cc7d570ae

    SHA512

    1c8e1ddf250abc49852a9f5fbfa477dda1f93e773313c99981bf7f4073200a0144f976e16cf14e632594e45b1e20be1d48c2f3dc1f9db870d9d025506905dfeb

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    b91d581e8ecc96ae357110f1f23577a7

    SHA1

    53be585134e41985dc15064095660862956b98a3

    SHA256

    d24857a750e0694954e51b2e39c057ffb7c366b19edf1adcdd6c0f6b764337f3

    SHA512

    a6291a44c720df0dde23e6e9c3ae5ab42a0cb89ab6e286d2bfda86bd28e7438f7cde842ddebac4da0b6185ceb09aafb4f8aa9ea3da0c1e385cc0debd6567f3c0

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    3.9MB

    MD5

    f1024d1714b88eb090a49b96332fb90c

    SHA1

    39ac0b6bc208fa553ec46552a60c1c4c186f80c2

    SHA256

    60837fb9c337b20bb36d3b8a43ddcaed7e3b44a75764bf5e8f23ddb51ca7b582

    SHA512

    ca9646dd184a7f6cad23aaad64abf0c51333e25ddb38ea3d9478b1a13021b70c8bbde16f9bc4d0a1e09a5ead5bdf3e7e8d224eb44dc9e6802cd7cc8cb24e1086