Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 01:36

General

  • Target

    53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    53fb1e59d27c4ec5b18cd522469ea850

  • SHA1

    231336b6ec03827a24dcc69456853a6e5018e182

  • SHA256

    413f2b3bcf7a0fe28af6a3e93e1987aedf1dcbfa0deb3ecd7eab63f64d01ed63

  • SHA512

    51fd369c1576feab601e282cb40d284b34705451539df2f1d065f7e98e8ec9f126db07e3c45da6f83602f9a965d2cc1d32811dbf724cf0fa73de50292bccf5a3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpKbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\53fb1e59d27c4ec5b18cd522469ea850_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3052
    • C:\UserDotA5\xdobloc.exe
      C:\UserDotA5\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotA5\xdobloc.exe

    Filesize

    3.2MB

    MD5

    44fe375ea7fa3c3add902e8536f6a7d7

    SHA1

    1e21ef78d4f6e2002a4d5255a6dddc75aedc0f37

    SHA256

    19ca244b1f0a8b88d870745aac460c406627060c924afc165de9edea7b0a074f

    SHA512

    d8174e945380a08c9dd299a1bb722ab60de647e7e233db0601d4541ece6ac36de5b6f465785d6d4369b7b66e350b21fd89b104fec97cae27cb31a8052047b8f4

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    34dff6caab16c0d89dd58f51469395e6

    SHA1

    2350aefdaae7a0180ee84f9865488027959727ae

    SHA256

    0fae9a57581b4af0814592baa5d0b5205c85f77790d81c3f970e26b6020d4e16

    SHA512

    2b090c6e8877f807562c204d9395a38b75f6ed036b43ac36dc20e222eb58ef16ac8f99e1321e8cd728b85aed0d7c222f545fc3a699ef14f6726861868d6c650f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    8aeceb9507f6b50fd65b089ba0cbdb84

    SHA1

    92005a94e83389992218b23335a7dc4dce0597fa

    SHA256

    459990d6b9de7454b9ed543dfae0f74fbbc3811ceb8549d8d7b4839db988945c

    SHA512

    75d8efeca431e0b8024bab26e05b337007a64087fb4bffa97adc82b8fd2ec9a4d0dc34526131da0caf443f38a7a22fddd91ed2d0f6ad97bdd828a82b1c55d62c

  • C:\VidNV\optidevloc.exe

    Filesize

    3.2MB

    MD5

    c49ed97c16653fd3571138c34bd0ddc5

    SHA1

    0f4c4e5a2c176de4e34b2af80e58fc538c29c510

    SHA256

    0888885381b502f7b4be0c0e2c644f6cd866d58961676c1234e55b27bad8c6f7

    SHA512

    90206b32f75ae6709e4d0c90380e6bbcbd628ad544b2e461e5a5f59b9bd34d9666d73d42306b12640929272effbbf2d7dcbaec8dbd70f1caa747c785c9df2cdf

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    3.2MB

    MD5

    64ebdf017d6683db8cbff28bc349f0a4

    SHA1

    3b3cc95740f26516480cebed81e487c5ab3a718a

    SHA256

    827208ffcc4773e5934f7903a3e413ff07400f09df5e8b12e630b9b6d1cc1509

    SHA512

    a9d872762d520fb7efa35022c26d42d01519080b6777b23aa7be68e24ebf0da3dd9fe75daf19a36166bffdba6c156c8891a2a17d3e814586c576c7556ec8ebaf