Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe
-
Size
3.9MB
-
MD5
a6db96aef9150433481995726b09b8a0
-
SHA1
670f4bc6abfaf8b7b1588d8ca553a5d2f5018e5b
-
SHA256
f1aa412967081cd47d2bc2ac0a73ce267d3b26f7a906057175cdd68797f34d16
-
SHA512
58f6451eba42d242a876668b0939d564db44a57b21ee6f2dafae552f377f4a1daee4058e0959576db12d2fb4f451cc249ea649518482d49639d4322e74507be3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8:sxX7QnxrloE5dpUpbbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2984 ecxdob.exe 2648 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPJ\\devoptiec.exe" a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4I\\bodxloc.exe" a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe 2984 ecxdob.exe 2648 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2984 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2984 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2984 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2984 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2648 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 29 PID 2156 wrote to memory of 2648 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 29 PID 2156 wrote to memory of 2648 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 29 PID 2156 wrote to memory of 2648 2156 a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a6db96aef9150433481995726b09b8a0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
-
C:\UserDotPJ\devoptiec.exeC:\UserDotPJ\devoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD510e6df3619bbbd1a2464d5000a56fbb5
SHA19080f324c059847c04fbc434d62d8ab2e06140a9
SHA256e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559
SHA5129cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff
-
Filesize
3.9MB
MD5f002a266b390177af589bde294600d6a
SHA1470b35bc9141281fc6ac42f4217bf86569cfd18a
SHA25641e2e4a85766c22b9877e5c2dd85f04ff56d57115b5597df0956d62fa41c3d04
SHA5129a37e3b8ab8eab1aae813b4d5a33c476ea4bcb52447bd5729e7632a996b2774409a37a00758f8b8e6b6f7846e9e057bbecebc6b2ecc63b90be6eb29bcb114636
-
Filesize
3.9MB
MD514ff2e1a32eaba9106c4787082ceed44
SHA1678f82211cc1c75a32cc6d7a4084d6d20c488877
SHA256f98a6ed62082e369c1f7c3e87667031da2cd5357a65ad1137494c4b68d21091a
SHA5125c369277a195baee3c080c09d78e28d455142150c8071733b19a6beecf41debcfc1408dc89a626ab394dc32b25fb0fdba79f1dfdc260c9f6048a9e5140bb90f2
-
Filesize
172B
MD5217ff6fb1ab7e2c27ccfba0731ae7396
SHA104f6b685e4e6d08fbe8b7c1575d6fa918e999073
SHA2565f23cf645fbcb23bbb364ee70e5ec78b48efbe8f234961d4c189072cc7d570ae
SHA5121c8e1ddf250abc49852a9f5fbfa477dda1f93e773313c99981bf7f4073200a0144f976e16cf14e632594e45b1e20be1d48c2f3dc1f9db870d9d025506905dfeb
-
Filesize
204B
MD5b91d581e8ecc96ae357110f1f23577a7
SHA153be585134e41985dc15064095660862956b98a3
SHA256d24857a750e0694954e51b2e39c057ffb7c366b19edf1adcdd6c0f6b764337f3
SHA512a6291a44c720df0dde23e6e9c3ae5ab42a0cb89ab6e286d2bfda86bd28e7438f7cde842ddebac4da0b6185ceb09aafb4f8aa9ea3da0c1e385cc0debd6567f3c0
-
Filesize
3.9MB
MD5f1024d1714b88eb090a49b96332fb90c
SHA139ac0b6bc208fa553ec46552a60c1c4c186f80c2
SHA25660837fb9c337b20bb36d3b8a43ddcaed7e3b44a75764bf5e8f23ddb51ca7b582
SHA512ca9646dd184a7f6cad23aaad64abf0c51333e25ddb38ea3d9478b1a13021b70c8bbde16f9bc4d0a1e09a5ead5bdf3e7e8d224eb44dc9e6802cd7cc8cb24e1086