Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 01:22

General

  • Target

    1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    1472ede8b6ff7b8953f3a03087c432d0

  • SHA1

    5dbcfc62a26e8e8097c78451d228c552c2264224

  • SHA256

    e6b8d0a1dd709f2f56dbb21dc03913ad9efa7ebf7e2fd21805956d1a95f56bd6

  • SHA512

    02e1b866518e5c1c281308b44b5293a58b6f60be2df1937a60e2fe06f4ee142d9c2c137caf7568d7754c35a2a81f488ab9ec3f3fb3c841e5fe8e43f76e0dbbfa

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpSb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1472ede8b6ff7b8953f3a03087c432d0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3048
    • C:\AdobeHM\devoptisys.exe
      C:\AdobeHM\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeHM\devoptisys.exe

    Filesize

    2.6MB

    MD5

    05a3c45c928f2c132dc16e9d9dcc8870

    SHA1

    2a48e9ae05d8e7f4972a39950f5792bf8f1ed590

    SHA256

    0c462b5455be46292eac29f24d18b83b8671d12180c798ac21934223fae3a0a9

    SHA512

    c3032019b97c58034f842d9283f844d5249efa40b4240a53244d54ea767080348fcc85f58094ba5451745b2e578670a571722b274da73a81e0bef8d31a17ed94

  • C:\GalaxR6\dobxloc.exe

    Filesize

    9KB

    MD5

    bceeb783568178019cfa9ce19da30a69

    SHA1

    3918c6d01f7a27b2a71133015ea935c5555085ff

    SHA256

    41737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd

    SHA512

    7f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0

  • C:\GalaxR6\dobxloc.exe

    Filesize

    8KB

    MD5

    1c31992317278cbfbb062cd4732b9020

    SHA1

    b2953bc21d0bbd03b25aba4e7b3d56cc63708195

    SHA256

    0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0

    SHA512

    a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    d920626d821f1a90f47fbb1a23eba083

    SHA1

    1a0ab15339fb38bd6712bfb2a3f879b45ef01f54

    SHA256

    67cd9cfa210b10158e68c72a08e6e0cf41feb0414ac17c6fe90c145ae2eab585

    SHA512

    23a5878d58438812d3dcde0013f3cac463d90722023bc0e9da168c5e029d299ca90689997be0ea8626713c809de98292294d2600d99daed119c47f58a0cd1409

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    b0f01d5b1bfa96d3607155e973c1b501

    SHA1

    a40d221aff4af6220a9531ba807f75798975508e

    SHA256

    265aa1d6bc544f588b6cbe6e46a0cf11788ba83badeefdbdd07ae29beff66042

    SHA512

    2bcbc289ecb39c1f935539c5dd8df58fd13803c5330394ecd81b9206eb364d7dcfaf4edefbd4fb87aa2a2014d994d9b143134805e8dd369a3690684b318437e4

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    52a526489969e5ecd372caf897aa8da7

    SHA1

    4ea29ee99841ffe3c8228c9c681af72c508df085

    SHA256

    df658195e5844a6b1e59055a3e35810111e4f7451ad90830e7e68bc972455d0f

    SHA512

    ebcec5846cf763f26df44fbb9edeaa5508cf45527291c67ff85bc14b2fdd54c05c8893a6e0e3552dafd85a24ab7240f80fc46c5d9cbb6603bab9835080e64134