Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 04:56

General

  • Target

    656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    656d24cca6190b419de97393d257fa80

  • SHA1

    88ddc929922dee50d8e11132279af714a9fee19c

  • SHA256

    941af33c8bf3ba6329d76308a2574f202d2ed02564935e0c16c9fb739502180c

  • SHA512

    34a3e5a6240753b0ee42330f0969541d069c6ec32af2253ce69008a57539798487d18995dcfc64037ae89b0676e8121f0e749a826fc93573d46a18ef757bde64

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNX:sxX7QnxrloE5dpUpObVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:948
    • C:\FilesOU\abodsys.exe
      C:\FilesOU\abodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesOU\abodsys.exe

    Filesize

    3.0MB

    MD5

    b3540eb77f0b4aac59e6b3ef1f977ee9

    SHA1

    9e2307f258012115af02a7f32d0150bbd2d35e7e

    SHA256

    2716deb8c4b96d8dd5bb41f42bf47e494a1033dab85fc8ae607d6660692bc629

    SHA512

    bce88dbe5c27d3a9ed34387022857bfd192f4ca9e2043a15e07e0c9a7d1e69fb815575f7aabda50784db0b471fed854b05e0adc8796d048858a64107a1804967

  • C:\LabZWO\optixloc.exe

    Filesize

    85KB

    MD5

    ec66f9943734e3eff5ce34c544a106eb

    SHA1

    f57169d3266caeac9f1495e57a2bb7046462bdee

    SHA256

    6e0021622d2759e70f1181eb24821153dbb68bfa7a45e543c7e1ea8f763cea8a

    SHA512

    a95d31fa416337668f041c970ab120526c8b071953d744c1aa0e5a9d94b7cca6e4a8873b4edc910436d6ac8d715fbdeea4d0b64e723e94d61cc0f020f38deda8

  • C:\LabZWO\optixloc.exe

    Filesize

    2.2MB

    MD5

    f5579a7330cd69450616fb7e81974269

    SHA1

    8cf77da20d27e28b04d6bb483505508835acf88f

    SHA256

    55d9c51e5fb26c3b4dee5664f513c689dce73bb9dc19a9dfd18fcab17172dd20

    SHA512

    6567b7007f7d676f8f8841c9b28dd9fc1a401d895a81faafa2179cf92f618aa63bf45bcc9c2788857da619ac923b76d29c334d9de85586f83555a5a08c9979ef

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    a7f4aa5cbb20135a5fbce66126932d0c

    SHA1

    7bd8b9f703c20646f2a7e67c54bcd02e08e62547

    SHA256

    17f49d933dd5687ea837526b7dc309fae2d570acda24fbf5178133617539c401

    SHA512

    2e21f53b3e5efb8ee6023fc613e3309e9deadf9ebf928724ae4d3b072759da8ddf9fdda85f1e47d11e385186a8a801ac031a46f3dce6e6ff042b14d3841c46ac

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    35999cfb797e622f5862706569985839

    SHA1

    6ce2c0110f46c8518094a1f14ef580f2925ceb86

    SHA256

    4b78a4b4fa896eb1546e3255de0ecadbc4387e10bd6ef1dfbfb72a92df234f26

    SHA512

    126cb8536d521f94c321ae7a8494cbd08b0c08f9735a4aa9f31fac0417b74676ff413ffb11f7aae6d4e96445d6e05e0367e60ce33951a745c886b85815929ee5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    3.0MB

    MD5

    997449288ff10fdbb6418e37c379e9c7

    SHA1

    3700e439350564a00d028b55cd82d4a6bcdc578e

    SHA256

    ea2bc132b465e4154d47f01c46423b9371c3729f31bbed9e25904a03071cf5a7

    SHA512

    de21761af684592234c719bde43a9463fb3e7a83fbefb0ddd4138e84b0f336de939b29e85125b277ce526b5cce1aa95939a32d39f34d5d792ddd2704b0e602b2