Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 16:33

General

  • Target

    aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe

  • Size

    4.0MB

  • MD5

    aedff83800d8a0bff4e5adaae2d78250

  • SHA1

    e6a6acc9f6419d1f427eb336ef4f6e21544f2d9c

  • SHA256

    c5b185d5b042e78a24c043af473e73af6daccd9d1c4ea57f2197fed4a4148eae

  • SHA512

    46f68ac1d7b81c518f94b7d7b521c073ff320e16797d9d18f1c5036e785f26c151cbd6302f3e98a1b7f06b485a9c55dd038aa2838c427718d0ee209434c48983

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3640
    • C:\IntelprocY5\xbodloc.exe
      C:\IntelprocY5\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocY5\xbodloc.exe

    Filesize

    990KB

    MD5

    7782a958be0e1ad614d03e4882e00311

    SHA1

    ab7f4dedc44f09b45a2b2107edbf41ba43f4479d

    SHA256

    ab58463007931f0b35151f32b2bfa97e6126f4f7cc84aa7c6cfdd2dc6521ad30

    SHA512

    a1697f0b9858a9ad7cc523eab365b6e5099259beced56b4697d25a643ed520d801e5292ebc7777bfc24ccc82cfb56dca6b4e8a3b130689871360a2935cc219fd

  • C:\IntelprocY5\xbodloc.exe

    Filesize

    4.0MB

    MD5

    d40b2b900e9d328d035b0ba8e13d95b4

    SHA1

    9082d015cf9f2561d836a6cfd2dce23e85f68300

    SHA256

    2f4251b04899f30e4793fc3556ac617b01f671cd5381436f05c96775d49420ce

    SHA512

    66d8d1ae4507050459c0db10aba77c511f5cf76c59d4a621bdaeec09afc5b606c6587e73263abc69014437f6479902ced1b87c354bc665bc4f75dc1c92f5ae3f

  • C:\KaVBHI\dobxec.exe

    Filesize

    121KB

    MD5

    b4f41a3358aac4888289be4384a6b618

    SHA1

    1d97c59bfa8ebd63de63ff6408720a6dbeb59431

    SHA256

    dae11531360f52119e74f92c22b4e08c447ecf4f00ff597af166167b162a2cbe

    SHA512

    087c9bbfe15ce6b49f4690fc39735fd05a6b758246683cda745fe490fd243319fea7149c3017b24b6e4ec828eecf1ad196d3a493b067aa9895daa9bc2edad32d

  • C:\KaVBHI\dobxec.exe

    Filesize

    4.0MB

    MD5

    68ae20a21834fef353832b6ea4a412f9

    SHA1

    b7b9068c8549484685fd46013e1a3f225096e46e

    SHA256

    35161f747d195adb9e7c1c4d6db56e767502c6d97a465b94bf90391afda8a370

    SHA512

    d46c5ef66613c6172f8f9e8c32d2ff9ff6c3979e947e398299e970201e10dfe6f0a673cae4d4e0028789d8d35b07bf9e412e7c49c667c3da1c0d455f6d12d0db

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    49a4774b7bad852d782d1c022b06bd03

    SHA1

    0265ccc3a1f04e08de81f01e8027ede272944733

    SHA256

    26793a26d17919d827f2bc2a02eef9f9f1b7ec06dfbadc6913aa597241bd0c05

    SHA512

    6493238e3ae23286f631dbe0a0442182fbbf9fbac2b9442c89a1118c700914a170bf2fdb7b571ac30802f3725544acaa989ea092fd41f7def5b6764b05b813fa

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    926a5314a6b8d0c0d0130c5c340f3e0b

    SHA1

    728a15bfd7c1d50240d844f41abe176661138037

    SHA256

    cb1c586716875e23ae4855d98ff6388566d832d7632fa136b3d2887b47aac65c

    SHA512

    f645cf66efedbd60527150eea53de56616ffe73a24cfa7ac89d86dc978e6801021d5d510f9894114e503aae34baa38a3bba8a72c3e2133f4302067953ab37291

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    4.0MB

    MD5

    6e151e9715c7149a65065966372e5c6e

    SHA1

    ceb56f5bf2e1f981b4845ef3723ff9004f5bd1a8

    SHA256

    6640d56af96b3f7883a5a028bdd40f6f5bb98037f8b7f9c586a169142a99242c

    SHA512

    3ea060f7dea08cb6de7a17137114b65f6a12accd99a4f1f3394c364b23ec1b8e44b531b27efa87bf0bac9dbcc02065762c0b3ccc59ad21e12fce241808a91970