Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 08:50

General

  • Target

    4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe

  • Size

    3.0MB

  • MD5

    aa3c13aef990e8df9ce2d2ff912533c0

  • SHA1

    abbeec86b7bc6318ea1e5a373dd46edf5f993252

  • SHA256

    4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752

  • SHA512

    a137a8dca379e3d7a15817e88e5e10e176410fe1a04d040149c7f82b83fb25e4f14a933a44dd97d1d0bd8d7699a88d72585dc6f7c031e25e7624103005d79b61

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8:sxX7QnxrloE5dpUpcbVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4852
    • C:\SysDrvI6\devbodsys.exe
      C:\SysDrvI6\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintWX\boddevloc.exe

    Filesize

    240KB

    MD5

    ccd6a2945e542c4d7a6d8b95b0b225b3

    SHA1

    67e901760d8388b8ee4cf909a562dabc8ec4a255

    SHA256

    ae4d82df2e7f2bef727789d511319b235611c3101059828aa64d192b6dd58b05

    SHA512

    5f7e5a26dd9e3b12d3532868f0513bc59ffb1a382cec5172cb068ced77bdd6549c3427ea5361a544fbf81f800f719355b90dabd106a5c081267ba14e13ecd729

  • C:\MintWX\boddevloc.exe

    Filesize

    1.3MB

    MD5

    f959f6e93a57f5cc9d72e046c87087c5

    SHA1

    a7aead5a1962258fbfab1690eb1407b55ab7e176

    SHA256

    1b86e0e3eed189ac0e05e70eeeddfd00dc13b8c464b636248e68fe0a7e60a685

    SHA512

    3f761a8a63894c0ba0f4eebc1ed4fedb5125ee8afc33626b5b5511f8e4fb2af9af64e058f18eeeb034c0cab210ca46a051b748dc0bc63eec82baae68662b9421

  • C:\SysDrvI6\devbodsys.exe

    Filesize

    768KB

    MD5

    abc997d5ff79c2b3f8030103ac1a9b4b

    SHA1

    1c6c7705fd1dfa8bc330b4ece0b5b2cef39ffe7d

    SHA256

    57a9a3fe43aecefd9ed9f66d3e3b620465a7896f8a5af84f239146a9f1c5043e

    SHA512

    d073869b3d6e81e07e6b5470a02e335074ee3443a9044d5c516c4499fa8c75a12424cc42a245a06ad2d8dac0a25665323aa9eb1fd253dbfc97613ca2a442717e

  • C:\SysDrvI6\devbodsys.exe

    Filesize

    3.0MB

    MD5

    d5853f33a15c043ad49bd9183cc4093b

    SHA1

    cffdab5e8979ea386042aeaf8f8563087db61d71

    SHA256

    932257000fb1cf6dff1636f268f86fb61c9c1a8da0d5b80994854681e79ba845

    SHA512

    bdd5851390bbfbe121025bc752c71c3467130addf301166dd717348f1eebeffb42088c4b0c3973fbc425d3ccc1a0749810190376e26b59a161d38f3ad1e703a4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    208B

    MD5

    471e0833dc268ccce68f19f84d9402cf

    SHA1

    54ec2b79a7b13f258e82eee5515678aa9ad7fb64

    SHA256

    4cb9a0c88fe5cf4a800bf74f7b4a3b3672042bcedc8b70ccf90a965d0e95d78f

    SHA512

    29af30745373aabf9fb067c799856ccb61e44e11af37f8b15f0fe1411a2bb9fd71f087ebd97d97b57f8602b347a9fddd87cc230a44d6c61f7ed7dd46d1f921e6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    176B

    MD5

    21039c2411e293e70ba6583401450850

    SHA1

    3aeda479913e0a70fe8559513cae22a213a52f72

    SHA256

    d4b4aff9347364c84f3fec51f3b877641887e8da969b8bbfc4e2cbf9eb301ead

    SHA512

    98e6d297788b04bb8cd3191122ab8a2827c4e7ec42b5371b654192fff24c93883a8bca406069c2a9885b166d08c039c114bd26fb5c1befac1709eb2665ca1a89

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    3.0MB

    MD5

    85636580a141e8e06e87ec391043c964

    SHA1

    c91a6d41240454c1f83b4dd17374bb10fe5b97f5

    SHA256

    de16b6e7fdf118daeb37e6c6c88bf82880c1e9fff5951e6c1502dc72514f0269

    SHA512

    226ad223c093ebdf9cc437fa477f69df756e26b952615e2d7e0ca590293caf5c95688163b9063356371be9e6429969a1fa8c985181c4a5175bda5293ae1149ff