Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    14/06/2024, 01:03

General

  • Target

    95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    95862838317736fc73fb3b544a5986a0

  • SHA1

    d87290e4a51c8ab2fe814521e546aaa9ec959098

  • SHA256

    21d391cdd14d379e1c182615619991685d5eea59f81d8fce667889d6f40de3f4

  • SHA512

    1c1c6afb967378aeea20e1bda1058c74993b2a20a7e4fe27de1c59ff3c94e919d878215b4ff395cf68c9ee54857d472f14cf72e24314b46e7da4a0bd308434cd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNX:sxX7QnxrloE5dpUpLbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\95862838317736fc73fb3b544a5986a0_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1928
    • C:\Intelproc4B\xbodloc.exe
      C:\Intelproc4B\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc4B\xbodloc.exe

    Filesize

    3.0MB

    MD5

    c856d28f13b51691d4224f29d1f2cb1f

    SHA1

    13b1b1c8211caf9778bfee4d05aede719e0f1f9b

    SHA256

    b59d3235480ec18d9b3f6047c64ecdd7c36f92d9e524e8ac9ddb4e3decbd9a3f

    SHA512

    1b30c0b919802c06a354385b8b30e0e4ec07939394f9add29db0807ecd6db4486d65ca02be56daa46cae90fa43da4bdf674f3996359cd8efbdee09fe5ea9041c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    e7e914efa6375bc10dc3eca9dafc668e

    SHA1

    1a85a4f95eb5ba3bb7a7e77359777a2f77bac9df

    SHA256

    57ebbe6985cf5403ecff6f972c06f7718d2195482a450442c0f8b014c8afeda1

    SHA512

    a3d9156c6cbf4b6f7eec7634116b8c0ce4c5428f3360b312eac4d1bdfb0709d99145d118768668dadb6c28503579d049de74f9f134706dc3530a732e3bc9aece

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    6f2381a4a9426535451fab0e845fdce3

    SHA1

    a319f268b9ee9cef70697f2d612c5a0eb36baa8a

    SHA256

    ad45edef59052b337628d20f123b39f852a12368ab2ce9af5e17dbe3b073faf0

    SHA512

    e4eb205a2b76b14f96204e61c82d94040495f9e6848ac00e35d54f6274c7250cbb8ac6896213ea6fef7f64c5a82fb11b511f01aa162e35f06912c104c0b90132

  • C:\VidMJ\bodxsys.exe

    Filesize

    3.0MB

    MD5

    f0504fb3fcc227dca5e223a259fb2a29

    SHA1

    98009211334fa4253ebf3fc7ff743bb5f1dcb5c7

    SHA256

    9369bc23b92d775ab9a6c6bbf9bababf093a4c29baa27bf08c457bd0111d42f9

    SHA512

    5f6aee5746e79edec1e48f00f5e14001aed93b75675b048a450c285dd97f4980132a78ccb232fc4ce242a44bdfcd5b71e8cdaa171c2e9476c4d06d492efaef17

  • C:\VidMJ\bodxsys.exe

    Filesize

    3.0MB

    MD5

    6c5535c53dadbb9e1d2737c4a798394a

    SHA1

    5e89c98580ccdb670e30701a32241032cd6038e2

    SHA256

    4807f7c75d37e9bf9a707163ede03b5a2aa95afd3fcd322a7a941f26bdbfda0e

    SHA512

    0b637e6a6c7fc4437ca0aecdc1b699ba69bff45d707af4e81968457817d86c685dc9be71af149b94410eb87d33351fb3a34eaaedb8020fd604fbf1348c19a52c

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    3.0MB

    MD5

    b408b27316821b719ae9be15273dd103

    SHA1

    fd0621e9a7c04f6c1bb7fb47187f6edff44acc51

    SHA256

    5113e40327acdcba215ff98df175e7e197b49f06c78ea40ef8645f052deefb24

    SHA512

    539b57af2ab655edd07f56398612edc78c1c22c50df4eb6677f7cad9bfc46e52afee02a06fb9d6b9931f910165e7c589a04a0098c0c7ee1219b7c57fa9fa6dfe