Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 04:56
Static task
static1
Behavioral task
behavioral1
Sample
656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
656d24cca6190b419de97393d257fa80
-
SHA1
88ddc929922dee50d8e11132279af714a9fee19c
-
SHA256
941af33c8bf3ba6329d76308a2574f202d2ed02564935e0c16c9fb739502180c
-
SHA512
34a3e5a6240753b0ee42330f0969541d069c6ec32af2253ce69008a57539798487d18995dcfc64037ae89b0676e8121f0e749a826fc93573d46a18ef757bde64
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNX:sxX7QnxrloE5dpUpObVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 948 locdevbod.exe 1644 abodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOU\\abodsys.exe" 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWO\\optixloc.exe" 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe 948 locdevbod.exe 948 locdevbod.exe 1644 abodsys.exe 1644 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4100 wrote to memory of 948 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 90 PID 4100 wrote to memory of 948 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 90 PID 4100 wrote to memory of 948 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 90 PID 4100 wrote to memory of 1644 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 92 PID 4100 wrote to memory of 1644 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 92 PID 4100 wrote to memory of 1644 4100 656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\656d24cca6190b419de97393d257fa80_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:948
-
-
C:\FilesOU\abodsys.exeC:\FilesOU\abodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5b3540eb77f0b4aac59e6b3ef1f977ee9
SHA19e2307f258012115af02a7f32d0150bbd2d35e7e
SHA2562716deb8c4b96d8dd5bb41f42bf47e494a1033dab85fc8ae607d6660692bc629
SHA512bce88dbe5c27d3a9ed34387022857bfd192f4ca9e2043a15e07e0c9a7d1e69fb815575f7aabda50784db0b471fed854b05e0adc8796d048858a64107a1804967
-
Filesize
85KB
MD5ec66f9943734e3eff5ce34c544a106eb
SHA1f57169d3266caeac9f1495e57a2bb7046462bdee
SHA2566e0021622d2759e70f1181eb24821153dbb68bfa7a45e543c7e1ea8f763cea8a
SHA512a95d31fa416337668f041c970ab120526c8b071953d744c1aa0e5a9d94b7cca6e4a8873b4edc910436d6ac8d715fbdeea4d0b64e723e94d61cc0f020f38deda8
-
Filesize
2.2MB
MD5f5579a7330cd69450616fb7e81974269
SHA18cf77da20d27e28b04d6bb483505508835acf88f
SHA25655d9c51e5fb26c3b4dee5664f513c689dce73bb9dc19a9dfd18fcab17172dd20
SHA5126567b7007f7d676f8f8841c9b28dd9fc1a401d895a81faafa2179cf92f618aa63bf45bcc9c2788857da619ac923b76d29c334d9de85586f83555a5a08c9979ef
-
Filesize
203B
MD5a7f4aa5cbb20135a5fbce66126932d0c
SHA17bd8b9f703c20646f2a7e67c54bcd02e08e62547
SHA25617f49d933dd5687ea837526b7dc309fae2d570acda24fbf5178133617539c401
SHA5122e21f53b3e5efb8ee6023fc613e3309e9deadf9ebf928724ae4d3b072759da8ddf9fdda85f1e47d11e385186a8a801ac031a46f3dce6e6ff042b14d3841c46ac
-
Filesize
171B
MD535999cfb797e622f5862706569985839
SHA16ce2c0110f46c8518094a1f14ef580f2925ceb86
SHA2564b78a4b4fa896eb1546e3255de0ecadbc4387e10bd6ef1dfbfb72a92df234f26
SHA512126cb8536d521f94c321ae7a8494cbd08b0c08f9735a4aa9f31fac0417b74676ff413ffb11f7aae6d4e96445d6e05e0367e60ce33951a745c886b85815929ee5
-
Filesize
3.0MB
MD5997449288ff10fdbb6418e37c379e9c7
SHA13700e439350564a00d028b55cd82d4a6bcdc578e
SHA256ea2bc132b465e4154d47f01c46423b9371c3729f31bbed9e25904a03071cf5a7
SHA512de21761af684592234c719bde43a9463fb3e7a83fbefb0ddd4138e84b0f336de939b29e85125b277ce526b5cce1aa95939a32d39f34d5d792ddd2704b0e602b2