Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 00:04
Static task
static1
Behavioral task
behavioral1
Sample
1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
1b000262b7ec3ccab0b3f80f90a31930
-
SHA1
ed26d834a1a84a5fe0af223a3e89fd80e03b1a46
-
SHA256
6d0b683695df3831aa8753ccafaa80243794ed10cf5ecae53f423066338e091d
-
SHA512
9d019b96883bceb88dff961040626c7eb28f74b17dabad4bed841c732087d5bbe0225ea309b341160b83059eebd19e2424cca4864a720852fb24166af6e37cf6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 2868 locdevopti.exe 1916 xoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotE3\\xoptisys.exe" 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRL\\bodxsys.exe" 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe 2868 locdevopti.exe 2868 locdevopti.exe 1916 xoptisys.exe 1916 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2868 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 98 PID 2664 wrote to memory of 2868 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 98 PID 2664 wrote to memory of 2868 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 98 PID 2664 wrote to memory of 1916 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 100 PID 2664 wrote to memory of 1916 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 100 PID 2664 wrote to memory of 1916 2664 1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1b000262b7ec3ccab0b3f80f90a31930_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
C:\UserDotE3\xoptisys.exeC:\UserDotE3\xoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:81⤵PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5c063e5c6b7580b2ebfd8b81b8742e60a
SHA1ae3e50e9b3104b6737c7c0eef7dc36aa73402f9d
SHA256268585f8bfc8ec60e74f6527b77a0ab0b01f9200e376938b6f590610df61af4f
SHA512c1ddbd26f86a255489bd5ce9d5fdd19c5e497b78fe50d528a3959148598583a3455fac123d753b129e4c16ae83ffcf2a7bf268cba1b92b22c02b0426ac05c968
-
Filesize
1.1MB
MD591338e0f6b3ac1ae484884fd72bf8c19
SHA19c48300fc2556728f4a48e7acc97ba552aae6b56
SHA256acd6c2c74b6152baf4de79434a117e0f705740f6bd4cb7e7dfdcc958dc70e561
SHA512a721dddf79dfb32b03c0ce7d425a13fa28d16e4cf327ceee60c8c23ce3bdfd012b5cba8d0bb0484a127672a1fa3e45cea38916d2b67eaeedc8d544c4829c5b95
-
Filesize
64KB
MD51fe0d14acbae1f4503fe3c851d715a39
SHA16e9ecb695f2b07b82aa67f8a0c7c244f7baada13
SHA25661af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574
SHA5125bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583
-
Filesize
3.1MB
MD5f9db04001054ad3864f94ca845bece03
SHA148d481215c00a77db6757d4ed8a8f79fa4cf11c5
SHA256d9ce85c4b24574bb5df90d866870a7d9090c881754ebbf3286d4d5f9a851c391
SHA512e5a7a06d9ca4c36bdcfff34d80477127ab125800fd13235f039215fcd50f6cd5e5c9b8401294811f9044398039e81c92ce95324fcb26dcb334f7b8867337f8fb
-
Filesize
206B
MD58a9edec53cd33ae5475ff88f2d49ba82
SHA14831198ab73ad3cdda12d59715f25c170d39a38a
SHA2567e92e151cf635b5ee40362ae29d44cab98c69da07579e414fa71668b2dbade65
SHA5120b2dedb892c73aa6fd2df5960d322080892e2ddecf523afe3b8e172461d30a4c65378f198b6b249ffa32cd1b58361154b90168f58a3b529c6a9c5189ac70772c
-
Filesize
174B
MD5c401a09701c4bdc9faabf5d675d9a506
SHA1abb7a3c4724e33a3728af800cf7c98b37b5eeb54
SHA2560fb780aeb6e24f0d9327d35fbb75f219377646a250f87400d9f953763caf6984
SHA512e3e1240e0ed2d437b40260f2b54b2b546a73a1a68cd8604a9ba3b2289e63d30b12f3a446cf860ec9c363d087c9c2280a6b993bede5c3c0fb47941059ed8652d5
-
Filesize
3.1MB
MD58dc3be9aac67d1935813dab2f1142328
SHA149f961e4ef92b18f1d555bb4bb7073d055c7f5c7
SHA256d384c10eb2f6dc9434f7e7491e13a404ad75787f45c8450f247acb5b5ef5531c
SHA5120e30115465ab76a9b1478067e1946962a6f1bbfc6b0c70fd5c58a05d09ef156ed9bc46a342bac54ea3f16453094f53d0b9d69c1c69fc011c968dfc5613efd829