Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 16:21

General

  • Target

    12e16a008a5813732935972704d9a290_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    12e16a008a5813732935972704d9a290

  • SHA1

    3fde23c769943deb96ba0150f7d1d555c69384d8

  • SHA256

    e39512682c0be56ce868cd235dcff9cc304b28bfabdf2233f696e605dacb7103

  • SHA512

    1906770a2a1083c283d7d03930a550039e7834500a3d68157b1d6a237edee757ceb9eb09db0893aa33f45ae9e46edb430e72716451c2500006c9de6afeee11c7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX:sxX7QnxrloE5dpUpXbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12e16a008a5813732935972704d9a290_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\12e16a008a5813732935972704d9a290_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:452
    • C:\AdobeD1\adobsys.exe
      C:\AdobeD1\adobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1484
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\AdobeD1\adobsys.exe

      Filesize

      3.0MB

      MD5

      021dee4790f40dece6920c077b326fd0

      SHA1

      db8a5d18e24be178674613e1eab83e7cb159f685

      SHA256

      42086d70e208cea525e1b0139ce986a43286a4308adf98e5e13f640412eb0b90

      SHA512

      4d530fd6d236ae2cacbb1dc37d8a5a361a015b4f4a32b6645b9191aa95f83111fc8e53b9ad05a75a9326a7994f474c12a038aee13580be9387a2c4f47bc0fa06

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      200B

      MD5

      2db98f20a6bfaa9553df7ed730f9f6b1

      SHA1

      c55126eea630490842b94a4572bff47185eb27a0

      SHA256

      12e688eede72c466a58a3c90c5217a9695e679e46ea652cd8ade3fcdf6301a0d

      SHA512

      75282af6009ebe276eb955d8eefe6d954c8e7c9818be9a702a9d7051a01d15f950f6e85c6c04689601c6959d23ef78cb2ebc096ea986c3e5f986f69c825584d3

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      168B

      MD5

      624929d32dc58fe4b4eb50841e2e195a

      SHA1

      358b1043556f3625c35a1d93da330b16fc4c8d66

      SHA256

      137b4b20424ddd837ad6b033fb64e61dd249ad74e3528943e2ffe6af99ca4050

      SHA512

      bad4e00f2338bde9ea2a87b1ad88f22fc20c8f16f60cf364e063356a9f1115265da3ba734bbe904b40323ed56137293a60b508db6117e39fd0ce6277eab62e8d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

      Filesize

      3.0MB

      MD5

      44f49f74108b95e37c4370c4cb9ac0fe

      SHA1

      456cf5eece5befc08244ae7aaa0d0c7fa7b255ea

      SHA256

      3385b6e5d668e99fc0b2b0dbb7bf1d10a692df9c9ae7456f8cd298447ca6cd0f

      SHA512

      29fa5c0fd9f07f4d09f435d7b5247c8302b9e99c41f190624be085039fd912150d1b8f0de1b034ded9fed4515432c0076d7facce34a97a1e36684361f3ebb3f6

    • C:\VidVQ\optiasys.exe

      Filesize

      3.0MB

      MD5

      7c5f3ceedd0e9401c50ecced07ae89ad

      SHA1

      30572060c496129bb5c041ae25c0e0ab1535b0fc

      SHA256

      71838ae72eaece9e28a959e4a3a534618b7565ccc1214aac7b7e81a2d39ebf8f

      SHA512

      68c1f529973b6c0e5e0d5604ecab89b59731e2ed9fa4278ff554778076a0b5c8edecbc48480ff6b8880c95dd71f870ca2611242c748f654f5b5a8dfb958593ef

    • C:\VidVQ\optiasys.exe

      Filesize

      3.0MB

      MD5

      9132a7e20726c7300231d0bed3bf479a

      SHA1

      72accb2027d70b1cd9832270220306d0d4d5f1b9

      SHA256

      5e3bbdc680f4acfafb4c8a5015cad44259885142a4aed523543f8603a47376d2

      SHA512

      8288d560db993c8ebeb86f9c9a37872fdf695a27883c62bfeef61a83caddcef860994ada7e72d16f3d73fde6cbc5d0bb5af04b9f16239bbc3423f250e36e270b