Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 00:04

General

  • Target

    1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    1b000262b7ec3ccab0b3f80f90a31930

  • SHA1

    ed26d834a1a84a5fe0af223a3e89fd80e03b1a46

  • SHA256

    6d0b683695df3831aa8753ccafaa80243794ed10cf5ecae53f423066338e091d

  • SHA512

    9d019b96883bceb88dff961040626c7eb28f74b17dabad4bed841c732087d5bbe0225ea309b341160b83059eebd19e2424cca4864a720852fb24166af6e37cf6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2284
    • C:\SysDrv22\devoptiloc.exe
      C:\SysDrv22\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBHD\bodasys.exe

    Filesize

    3.1MB

    MD5

    1aa7add3a8a228e32f0ce72216bbbd56

    SHA1

    26c7fb9f7cec43f5442d4b0651b98e0d631afdf7

    SHA256

    023f78fa5a6f1b75b52aa5d62b1fa6380888291cb30ae168d7a8890ca9bd8114

    SHA512

    5827ad8ba9273cceeb87da55c657248c235606d89659c4fa94f04582e13270c9a6afb4e5b898334fc4c9d3078c500f66edecfb42f051aaf05f490df2fb929406

  • C:\KaVBHD\bodasys.exe

    Filesize

    3.1MB

    MD5

    6e294583dc082d47edab62ee4f7153fb

    SHA1

    e1a4333fe0252a6d57d05a7712352d40c8be2e64

    SHA256

    c25a670c06525d70facf5d46c4003b1ac736a4886820c70f860fd47dfce44465

    SHA512

    728ae7c52cd581b9874560fd7e10ac69f8a6844afb1fee03d9fc3b1674a6dec7d3553313c38cc56dbc163a177919087f82cbdc7f58888ede71a8d412958d42a1

  • C:\SysDrv22\devoptiloc.exe

    Filesize

    3.1MB

    MD5

    0ddb5529dfcdd9267b611cfe202035e5

    SHA1

    a92f54b1aec5a960f7de14e4108f2b7de59b8163

    SHA256

    eb33614eb015294b57f8c86354ecc6bd4f4b35cc7dbf616b0749f273d4cb9f15

    SHA512

    e1a7c2ed34e1bb0ebade6622bd2632e9cba24139e5216d9a897045f32309a4b95bb310c7c3b8cfbd8b964c8d417089c40f77ebc1711058c997c88f384189671c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    7ff041c4b355f72dd888d9f799dabf60

    SHA1

    073151f2440f4bfe90cc4c7504c554673333bebe

    SHA256

    95892c0f94aab1bfea2c8913689cfef4ecb53ea3c2d5c8f7be265cec9e816fae

    SHA512

    4c1ae6b470bddebd9b5ffc43507c00987b3b480e3bcc4dc554b555846e405c92cae758b39af9bc1f9ff36db827cf559f6b625e5be2b0ba7f06c45325deac12d2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    d41727cf6c99947fe0411f2042dccafb

    SHA1

    e5395fb429fe9ef67db639703b6f3b301af4c3ec

    SHA256

    efc08c9c674cf28434595ba2b1dc54971ecf3904f2f71ee21630bf08c3682149

    SHA512

    110e9ccbc77d37a7c29419e1a820a33d92802e5df10acfbac9fba4e8f89e80cc997f09259406a49c909c7c606c0257e485e7fe045a9158669fd6eb8d7947ad4a

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    3.1MB

    MD5

    1083d3d4e417ca0aa85199668f43fae2

    SHA1

    9392c33127726776c89d31f7c5b97efa8d157bbc

    SHA256

    a0c30091a957a0ba94743783c8c7cf5383022ff85ebcb7f716d0f8a51519f44b

    SHA512

    81219ca2852311945db7dca3cdbae03a2007e076ee6859cfcea0ce407fd80a5de137297b246c2db3f30b9e0fb8745d7a203c9d56c5e7c53a38e2a3322b16a308