Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe
-
Size
4.0MB
-
MD5
aedff83800d8a0bff4e5adaae2d78250
-
SHA1
e6a6acc9f6419d1f427eb336ef4f6e21544f2d9c
-
SHA256
c5b185d5b042e78a24c043af473e73af6daccd9d1c4ea57f2197fed4a4148eae
-
SHA512
46f68ac1d7b81c518f94b7d7b521c073ff320e16797d9d18f1c5036e785f26c151cbd6302f3e98a1b7f06b485a9c55dd038aa2838c427718d0ee209434c48983
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 3640 sysadob.exe 2488 xbodloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocY5\\xbodloc.exe" aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHI\\dobxec.exe" aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe 3640 sysadob.exe 3640 sysadob.exe 2488 xbodloc.exe 2488 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4388 wrote to memory of 3640 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 87 PID 4388 wrote to memory of 3640 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 87 PID 4388 wrote to memory of 3640 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 87 PID 4388 wrote to memory of 2488 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 91 PID 4388 wrote to memory of 2488 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 91 PID 4388 wrote to memory of 2488 4388 aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aedff83800d8a0bff4e5adaae2d78250_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3640
-
-
C:\IntelprocY5\xbodloc.exeC:\IntelprocY5\xbodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
990KB
MD57782a958be0e1ad614d03e4882e00311
SHA1ab7f4dedc44f09b45a2b2107edbf41ba43f4479d
SHA256ab58463007931f0b35151f32b2bfa97e6126f4f7cc84aa7c6cfdd2dc6521ad30
SHA512a1697f0b9858a9ad7cc523eab365b6e5099259beced56b4697d25a643ed520d801e5292ebc7777bfc24ccc82cfb56dca6b4e8a3b130689871360a2935cc219fd
-
Filesize
4.0MB
MD5d40b2b900e9d328d035b0ba8e13d95b4
SHA19082d015cf9f2561d836a6cfd2dce23e85f68300
SHA2562f4251b04899f30e4793fc3556ac617b01f671cd5381436f05c96775d49420ce
SHA51266d8d1ae4507050459c0db10aba77c511f5cf76c59d4a621bdaeec09afc5b606c6587e73263abc69014437f6479902ced1b87c354bc665bc4f75dc1c92f5ae3f
-
Filesize
121KB
MD5b4f41a3358aac4888289be4384a6b618
SHA11d97c59bfa8ebd63de63ff6408720a6dbeb59431
SHA256dae11531360f52119e74f92c22b4e08c447ecf4f00ff597af166167b162a2cbe
SHA512087c9bbfe15ce6b49f4690fc39735fd05a6b758246683cda745fe490fd243319fea7149c3017b24b6e4ec828eecf1ad196d3a493b067aa9895daa9bc2edad32d
-
Filesize
4.0MB
MD568ae20a21834fef353832b6ea4a412f9
SHA1b7b9068c8549484685fd46013e1a3f225096e46e
SHA25635161f747d195adb9e7c1c4d6db56e767502c6d97a465b94bf90391afda8a370
SHA512d46c5ef66613c6172f8f9e8c32d2ff9ff6c3979e947e398299e970201e10dfe6f0a673cae4d4e0028789d8d35b07bf9e412e7c49c667c3da1c0d455f6d12d0db
-
Filesize
203B
MD549a4774b7bad852d782d1c022b06bd03
SHA10265ccc3a1f04e08de81f01e8027ede272944733
SHA25626793a26d17919d827f2bc2a02eef9f9f1b7ec06dfbadc6913aa597241bd0c05
SHA5126493238e3ae23286f631dbe0a0442182fbbf9fbac2b9442c89a1118c700914a170bf2fdb7b571ac30802f3725544acaa989ea092fd41f7def5b6764b05b813fa
-
Filesize
171B
MD5926a5314a6b8d0c0d0130c5c340f3e0b
SHA1728a15bfd7c1d50240d844f41abe176661138037
SHA256cb1c586716875e23ae4855d98ff6388566d832d7632fa136b3d2887b47aac65c
SHA512f645cf66efedbd60527150eea53de56616ffe73a24cfa7ac89d86dc978e6801021d5d510f9894114e503aae34baa38a3bba8a72c3e2133f4302067953ab37291
-
Filesize
4.0MB
MD56e151e9715c7149a65065966372e5c6e
SHA1ceb56f5bf2e1f981b4845ef3723ff9004f5bd1a8
SHA2566640d56af96b3f7883a5a028bdd40f6f5bb98037f8b7f9c586a169142a99242c
SHA5123ea060f7dea08cb6de7a17137114b65f6a12accd99a4f1f3394c364b23ec1b8e44b531b27efa87bf0bac9dbcc02065762c0b3ccc59ad21e12fce241808a91970