Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 00:04

General

  • Target

    1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe

  • Size

    3.1MB

  • MD5

    1b000262b7ec3ccab0b3f80f90a31930

  • SHA1

    ed26d834a1a84a5fe0af223a3e89fd80e03b1a46

  • SHA256

    6d0b683695df3831aa8753ccafaa80243794ed10cf5ecae53f423066338e091d

  • SHA512

    9d019b96883bceb88dff961040626c7eb28f74b17dabad4bed841c732087d5bbe0225ea309b341160b83059eebd19e2424cca4864a720852fb24166af6e37cf6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2868
    • C:\UserDotE3\xoptisys.exe
      C:\UserDotE3\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1916
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
    1⤵
      PID:3024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MintRL\bodxsys.exe

      Filesize

      1.7MB

      MD5

      c063e5c6b7580b2ebfd8b81b8742e60a

      SHA1

      ae3e50e9b3104b6737c7c0eef7dc36aa73402f9d

      SHA256

      268585f8bfc8ec60e74f6527b77a0ab0b01f9200e376938b6f590610df61af4f

      SHA512

      c1ddbd26f86a255489bd5ce9d5fdd19c5e497b78fe50d528a3959148598583a3455fac123d753b129e4c16ae83ffcf2a7bf268cba1b92b22c02b0426ac05c968

    • C:\MintRL\bodxsys.exe

      Filesize

      1.1MB

      MD5

      91338e0f6b3ac1ae484884fd72bf8c19

      SHA1

      9c48300fc2556728f4a48e7acc97ba552aae6b56

      SHA256

      acd6c2c74b6152baf4de79434a117e0f705740f6bd4cb7e7dfdcc958dc70e561

      SHA512

      a721dddf79dfb32b03c0ce7d425a13fa28d16e4cf327ceee60c8c23ce3bdfd012b5cba8d0bb0484a127672a1fa3e45cea38916d2b67eaeedc8d544c4829c5b95

    • C:\UserDotE3\xoptisys.exe

      Filesize

      64KB

      MD5

      1fe0d14acbae1f4503fe3c851d715a39

      SHA1

      6e9ecb695f2b07b82aa67f8a0c7c244f7baada13

      SHA256

      61af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574

      SHA512

      5bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583

    • C:\UserDotE3\xoptisys.exe

      Filesize

      3.1MB

      MD5

      f9db04001054ad3864f94ca845bece03

      SHA1

      48d481215c00a77db6757d4ed8a8f79fa4cf11c5

      SHA256

      d9ce85c4b24574bb5df90d866870a7d9090c881754ebbf3286d4d5f9a851c391

      SHA512

      e5a7a06d9ca4c36bdcfff34d80477127ab125800fd13235f039215fcd50f6cd5e5c9b8401294811f9044398039e81c92ce95324fcb26dcb334f7b8867337f8fb

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      206B

      MD5

      8a9edec53cd33ae5475ff88f2d49ba82

      SHA1

      4831198ab73ad3cdda12d59715f25c170d39a38a

      SHA256

      7e92e151cf635b5ee40362ae29d44cab98c69da07579e414fa71668b2dbade65

      SHA512

      0b2dedb892c73aa6fd2df5960d322080892e2ddecf523afe3b8e172461d30a4c65378f198b6b249ffa32cd1b58361154b90168f58a3b529c6a9c5189ac70772c

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      174B

      MD5

      c401a09701c4bdc9faabf5d675d9a506

      SHA1

      abb7a3c4724e33a3728af800cf7c98b37b5eeb54

      SHA256

      0fb780aeb6e24f0d9327d35fbb75f219377646a250f87400d9f953763caf6984

      SHA512

      e3e1240e0ed2d437b40260f2b54b2b546a73a1a68cd8604a9ba3b2289e63d30b12f3a446cf860ec9c363d087c9c2280a6b993bede5c3c0fb47941059ed8652d5

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

      Filesize

      3.1MB

      MD5

      8dc3be9aac67d1935813dab2f1142328

      SHA1

      49f961e4ef92b18f1d555bb4bb7073d055c7f5c7

      SHA256

      d384c10eb2f6dc9434f7e7491e13a404ad75787f45c8450f247acb5b5ef5531c

      SHA512

      0e30115465ab76a9b1478067e1946962a6f1bbfc6b0c70fd5c58a05d09ef156ed9bc46a342bac54ea3f16453094f53d0b9d69c1c69fc011c968dfc5613efd829