Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 00:04
Static task
static1
Behavioral task
behavioral1
Sample
1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
1b000262b7ec3ccab0b3f80f90a31930
-
SHA1
ed26d834a1a84a5fe0af223a3e89fd80e03b1a46
-
SHA256
6d0b683695df3831aa8753ccafaa80243794ed10cf5ecae53f423066338e091d
-
SHA512
9d019b96883bceb88dff961040626c7eb28f74b17dabad4bed841c732087d5bbe0225ea309b341160b83059eebd19e2424cca4864a720852fb24166af6e37cf6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2284 ecxdob.exe 2616 devoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv22\\devoptiloc.exe" 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHD\\bodasys.exe" 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe 2284 ecxdob.exe 2616 devoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1608 wrote to memory of 2284 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 28 PID 1608 wrote to memory of 2284 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 28 PID 1608 wrote to memory of 2284 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 28 PID 1608 wrote to memory of 2284 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 28 PID 1608 wrote to memory of 2616 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 29 PID 1608 wrote to memory of 2616 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 29 PID 1608 wrote to memory of 2616 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 29 PID 1608 wrote to memory of 2616 1608 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
C:\SysDrv22\devoptiloc.exeC:\SysDrv22\devoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD51aa7add3a8a228e32f0ce72216bbbd56
SHA126c7fb9f7cec43f5442d4b0651b98e0d631afdf7
SHA256023f78fa5a6f1b75b52aa5d62b1fa6380888291cb30ae168d7a8890ca9bd8114
SHA5125827ad8ba9273cceeb87da55c657248c235606d89659c4fa94f04582e13270c9a6afb4e5b898334fc4c9d3078c500f66edecfb42f051aaf05f490df2fb929406
-
Filesize
3.1MB
MD56e294583dc082d47edab62ee4f7153fb
SHA1e1a4333fe0252a6d57d05a7712352d40c8be2e64
SHA256c25a670c06525d70facf5d46c4003b1ac736a4886820c70f860fd47dfce44465
SHA512728ae7c52cd581b9874560fd7e10ac69f8a6844afb1fee03d9fc3b1674a6dec7d3553313c38cc56dbc163a177919087f82cbdc7f58888ede71a8d412958d42a1
-
Filesize
3.1MB
MD50ddb5529dfcdd9267b611cfe202035e5
SHA1a92f54b1aec5a960f7de14e4108f2b7de59b8163
SHA256eb33614eb015294b57f8c86354ecc6bd4f4b35cc7dbf616b0749f273d4cb9f15
SHA512e1a7c2ed34e1bb0ebade6622bd2632e9cba24139e5216d9a897045f32309a4b95bb310c7c3b8cfbd8b964c8d417089c40f77ebc1711058c997c88f384189671c
-
Filesize
171B
MD57ff041c4b355f72dd888d9f799dabf60
SHA1073151f2440f4bfe90cc4c7504c554673333bebe
SHA25695892c0f94aab1bfea2c8913689cfef4ecb53ea3c2d5c8f7be265cec9e816fae
SHA5124c1ae6b470bddebd9b5ffc43507c00987b3b480e3bcc4dc554b555846e405c92cae758b39af9bc1f9ff36db827cf559f6b625e5be2b0ba7f06c45325deac12d2
-
Filesize
203B
MD5d41727cf6c99947fe0411f2042dccafb
SHA1e5395fb429fe9ef67db639703b6f3b301af4c3ec
SHA256efc08c9c674cf28434595ba2b1dc54971ecf3904f2f71ee21630bf08c3682149
SHA512110e9ccbc77d37a7c29419e1a820a33d92802e5df10acfbac9fba4e8f89e80cc997f09259406a49c909c7c606c0257e485e7fe045a9158669fd6eb8d7947ad4a
-
Filesize
3.1MB
MD51083d3d4e417ca0aa85199668f43fae2
SHA19392c33127726776c89d31f7c5b97efa8d157bbc
SHA256a0c30091a957a0ba94743783c8c7cf5383022ff85ebcb7f716d0f8a51519f44b
SHA51281219ca2852311945db7dca3cdbae03a2007e076ee6859cfcea0ce407fd80a5de137297b246c2db3f30b9e0fb8745d7a203c9d56c5e7c53a38e2a3322b16a308