Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
12e16a008a5813732935972704d9a290
-
SHA1
3fde23c769943deb96ba0150f7d1d555c69384d8
-
SHA256
e39512682c0be56ce868cd235dcff9cc304b28bfabdf2233f696e605dacb7103
-
SHA512
1906770a2a1083c283d7d03930a550039e7834500a3d68157b1d6a237edee757ceb9eb09db0893aa33f45ae9e46edb430e72716451c2500006c9de6afeee11c7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX:sxX7QnxrloE5dpUpXbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 452 ecxopti.exe 1484 adobsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeD1\\adobsys.exe" 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVQ\\optiasys.exe" 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe 452 ecxopti.exe 452 ecxopti.exe 1484 adobsys.exe 1484 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3404 wrote to memory of 452 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 91 PID 3404 wrote to memory of 452 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 91 PID 3404 wrote to memory of 452 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 91 PID 3404 wrote to memory of 1484 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 92 PID 3404 wrote to memory of 1484 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 92 PID 3404 wrote to memory of 1484 3404 12e16a008a5813732935972704d9a290_NeikiAnalytics.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\12e16a008a5813732935972704d9a290_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\12e16a008a5813732935972704d9a290_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:452
-
-
C:\AdobeD1\adobsys.exeC:\AdobeD1\adobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵PID:3384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5021dee4790f40dece6920c077b326fd0
SHA1db8a5d18e24be178674613e1eab83e7cb159f685
SHA25642086d70e208cea525e1b0139ce986a43286a4308adf98e5e13f640412eb0b90
SHA5124d530fd6d236ae2cacbb1dc37d8a5a361a015b4f4a32b6645b9191aa95f83111fc8e53b9ad05a75a9326a7994f474c12a038aee13580be9387a2c4f47bc0fa06
-
Filesize
200B
MD52db98f20a6bfaa9553df7ed730f9f6b1
SHA1c55126eea630490842b94a4572bff47185eb27a0
SHA25612e688eede72c466a58a3c90c5217a9695e679e46ea652cd8ade3fcdf6301a0d
SHA51275282af6009ebe276eb955d8eefe6d954c8e7c9818be9a702a9d7051a01d15f950f6e85c6c04689601c6959d23ef78cb2ebc096ea986c3e5f986f69c825584d3
-
Filesize
168B
MD5624929d32dc58fe4b4eb50841e2e195a
SHA1358b1043556f3625c35a1d93da330b16fc4c8d66
SHA256137b4b20424ddd837ad6b033fb64e61dd249ad74e3528943e2ffe6af99ca4050
SHA512bad4e00f2338bde9ea2a87b1ad88f22fc20c8f16f60cf364e063356a9f1115265da3ba734bbe904b40323ed56137293a60b508db6117e39fd0ce6277eab62e8d
-
Filesize
3.0MB
MD544f49f74108b95e37c4370c4cb9ac0fe
SHA1456cf5eece5befc08244ae7aaa0d0c7fa7b255ea
SHA2563385b6e5d668e99fc0b2b0dbb7bf1d10a692df9c9ae7456f8cd298447ca6cd0f
SHA51229fa5c0fd9f07f4d09f435d7b5247c8302b9e99c41f190624be085039fd912150d1b8f0de1b034ded9fed4515432c0076d7facce34a97a1e36684361f3ebb3f6
-
Filesize
3.0MB
MD57c5f3ceedd0e9401c50ecced07ae89ad
SHA130572060c496129bb5c041ae25c0e0ab1535b0fc
SHA25671838ae72eaece9e28a959e4a3a534618b7565ccc1214aac7b7e81a2d39ebf8f
SHA51268c1f529973b6c0e5e0d5604ecab89b59731e2ed9fa4278ff554778076a0b5c8edecbc48480ff6b8880c95dd71f870ca2611242c748f654f5b5a8dfb958593ef
-
Filesize
3.0MB
MD59132a7e20726c7300231d0bed3bf479a
SHA172accb2027d70b1cd9832270220306d0d4d5f1b9
SHA2565e3bbdc680f4acfafb4c8a5015cad44259885142a4aed523543f8603a47376d2
SHA5128288d560db993c8ebeb86f9c9a37872fdf695a27883c62bfeef61a83caddcef860994ada7e72d16f3d73fde6cbc5d0bb5af04b9f16239bbc3423f250e36e270b