Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 05:43

General

  • Target

    41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe

  • Size

    4.1MB

  • MD5

    41d8293d6d470a82147f90db4bbd7e40

  • SHA1

    fefd07c84d228b570be7182fb1f2e045c751cebb

  • SHA256

    6f249e6ebb3ad3f36ff78e7cd053ed039c70e77e2bfa20adbfc085a2f6801dd5

  • SHA512

    9516512dcae7a0d44d0d622464a2b3aae81b6e45e8dd94bedcb70c7549ff7dfb73cf061d174e4a5dc4a3ab642eaa538d2c0c31753c06403152b8d600edcbc66e

  • SSDEEP

    98304:sxX7QnxrloE5dpUp3bVz8eLFcz1/wiAUc2:sxX7QnHoE5dux9a1/pc2

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\41d8293d6d470a82147f90db4bbd7e40_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2904
    • C:\Files4I\devoptisys.exe
      C:\Files4I\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Files4I\devoptisys.exe

    Filesize

    4.1MB

    MD5

    55d22ad436a7db17ae8fcd23362d6da8

    SHA1

    a9781a9b4e83824f0a57269288edb19d4d05048c

    SHA256

    47d584a7c4b639224d5a1caf8af56b6d63347d19c5d46192102a4fe2ec011601

    SHA512

    fae935c9c9bab6e300c762433812cb6169f5c06b3547473e572c5c4c1f5e604351430746aa076650d4ed14d44593d89c671147c720ad8da5436d6ccefba2af26

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    9bf89eb198107912aacc5468440778ca

    SHA1

    95cfc8958d6dc0e8b1b41098301ce447894b95f0

    SHA256

    6754c63839db81ae266bc3b6f638639df6efbd76f3b69d3a91f0738c0977cd0f

    SHA512

    9f866db166320967a2a3dd526bd8fdf18f0d035d40431e3d9bd4f05267de980070eb5b6258ee6f31a3e3831ffeb53aeb18a47072c3ee878deadfcb77d6ff1c71

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    359e3a7e3177fe2b9452b11d903a2403

    SHA1

    dbd11b7d6022147ab1b1b050f9fa23dc7aaefac1

    SHA256

    0b61301add0b8435fb1a38a7474280151c857875caa83cbfc63b43e625946a72

    SHA512

    ba5887e4c9a86e221b16841624b08f29d994d4c2df4c703e05af0f48ec3cf6ef2c4f9f64b371f9335f6ac6c939c8e80911369b11623cea21ee0d26654948c0d5

  • C:\Vid2C\dobxsys.exe

    Filesize

    4.1MB

    MD5

    88823baa9a9887e9f124f2f0f8372098

    SHA1

    ccd04be6f02740beaf25ea4a1e52a82ceeb37cb0

    SHA256

    3c45c5aae123ed149cfb06a3c4df99b3a58c0a01c235b7a8bf607b564cde28a8

    SHA512

    4a9c1529be2947934078ec16425afbfb99a4767da4fb1edd2118b0b5ec2ad9334ea02091615320f7aae26d26da4a515478c371ba6bc70d8311a589dc8ab87647

  • C:\Vid2C\dobxsys.exe

    Filesize

    4.1MB

    MD5

    2a34a17e2d690151235af64586a65d06

    SHA1

    e20fdf943ce1cc520509c0ce7e70b4723d41ea8a

    SHA256

    755aaee0f85da6f451a2dba21c51f6060b4f0dc494ec4c4356d09f312be4393f

    SHA512

    3b0bb855f52432ab6a397174f147da6cd19d3340432b15bc2186086855f82e5e5760db6a813a32f5e40a4c3ff024c55f6d0e042b5b5d1bb662876ced93cfc5af

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    4.1MB

    MD5

    9cd8f0344bf46ae462340621c0615fa9

    SHA1

    630af98ee12788999906efa5b984e19518b46cae

    SHA256

    a88cebd51567baa490ca3774c8879b5737e09670543a0642acb4b81e218cea00

    SHA512

    aa342a825d68b74b8bb2fe10fb03282a3bad508e60e47d7e0ed76a0e7d64442fcfbb13d555af74c5837b494225cfce8417bf8503f4b8aeaecc2b11b2e270ddc5