Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
1472ede8b6ff7b8953f3a03087c432d0
-
SHA1
5dbcfc62a26e8e8097c78451d228c552c2264224
-
SHA256
e6b8d0a1dd709f2f56dbb21dc03913ad9efa7ebf7e2fd21805956d1a95f56bd6
-
SHA512
02e1b866518e5c1c281308b44b5293a58b6f60be2df1937a60e2fe06f4ee142d9c2c137caf7568d7754c35a2a81f488ab9ec3f3fb3c841e5fe8e43f76e0dbbfa
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpSb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 3048 sysadob.exe 1732 devoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHM\\devoptisys.exe" 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR6\\dobxloc.exe" 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe 3048 sysadob.exe 1732 devoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3016 wrote to memory of 3048 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 3048 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 3048 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 3048 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 1732 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 29 PID 3016 wrote to memory of 1732 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 29 PID 3016 wrote to memory of 1732 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 29 PID 3016 wrote to memory of 1732 3016 1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
-
C:\AdobeHM\devoptisys.exeC:\AdobeHM\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD505a3c45c928f2c132dc16e9d9dcc8870
SHA12a48e9ae05d8e7f4972a39950f5792bf8f1ed590
SHA2560c462b5455be46292eac29f24d18b83b8671d12180c798ac21934223fae3a0a9
SHA512c3032019b97c58034f842d9283f844d5249efa40b4240a53244d54ea767080348fcc85f58094ba5451745b2e578670a571722b274da73a81e0bef8d31a17ed94
-
Filesize
9KB
MD5bceeb783568178019cfa9ce19da30a69
SHA13918c6d01f7a27b2a71133015ea935c5555085ff
SHA25641737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd
SHA5127f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0
-
Filesize
8KB
MD51c31992317278cbfbb062cd4732b9020
SHA1b2953bc21d0bbd03b25aba4e7b3d56cc63708195
SHA2560b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0
SHA512a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb
-
Filesize
172B
MD5d920626d821f1a90f47fbb1a23eba083
SHA11a0ab15339fb38bd6712bfb2a3f879b45ef01f54
SHA25667cd9cfa210b10158e68c72a08e6e0cf41feb0414ac17c6fe90c145ae2eab585
SHA51223a5878d58438812d3dcde0013f3cac463d90722023bc0e9da168c5e029d299ca90689997be0ea8626713c809de98292294d2600d99daed119c47f58a0cd1409
-
Filesize
204B
MD5b0f01d5b1bfa96d3607155e973c1b501
SHA1a40d221aff4af6220a9531ba807f75798975508e
SHA256265aa1d6bc544f588b6cbe6e46a0cf11788ba83badeefdbdd07ae29beff66042
SHA5122bcbc289ecb39c1f935539c5dd8df58fd13803c5330394ecd81b9206eb364d7dcfaf4edefbd4fb87aa2a2014d994d9b143134805e8dd369a3690684b318437e4
-
Filesize
2.6MB
MD552a526489969e5ecd372caf897aa8da7
SHA14ea29ee99841ffe3c8228c9c681af72c508df085
SHA256df658195e5844a6b1e59055a3e35810111e4f7451ad90830e7e68bc972455d0f
SHA512ebcec5846cf763f26df44fbb9edeaa5508cf45527291c67ff85bc14b2fdd54c05c8893a6e0e3552dafd85a24ab7240f80fc46c5d9cbb6603bab9835080e64134