Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe
-
Size
3.0MB
-
MD5
aa3c13aef990e8df9ce2d2ff912533c0
-
SHA1
abbeec86b7bc6318ea1e5a373dd46edf5f993252
-
SHA256
4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752
-
SHA512
a137a8dca379e3d7a15817e88e5e10e176410fe1a04d040149c7f82b83fb25e4f14a933a44dd97d1d0bd8d7699a88d72585dc6f7c031e25e7624103005d79b61
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSqz8:sxX7QnxrloE5dpUpcbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 4852 sysdevopti.exe 3648 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvI6\\devbodsys.exe" 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWX\\boddevloc.exe" 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe 4852 sysdevopti.exe 4852 sysdevopti.exe 3648 devbodsys.exe 3648 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 748 wrote to memory of 4852 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 86 PID 748 wrote to memory of 4852 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 86 PID 748 wrote to memory of 4852 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 86 PID 748 wrote to memory of 3648 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 87 PID 748 wrote to memory of 3648 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 87 PID 748 wrote to memory of 3648 748 4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4c97421c80108b8afd49b09ed3493846cbae9891dd4fc535987ebb589b012752_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
-
C:\SysDrvI6\devbodsys.exeC:\SysDrvI6\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5ccd6a2945e542c4d7a6d8b95b0b225b3
SHA167e901760d8388b8ee4cf909a562dabc8ec4a255
SHA256ae4d82df2e7f2bef727789d511319b235611c3101059828aa64d192b6dd58b05
SHA5125f7e5a26dd9e3b12d3532868f0513bc59ffb1a382cec5172cb068ced77bdd6549c3427ea5361a544fbf81f800f719355b90dabd106a5c081267ba14e13ecd729
-
Filesize
1.3MB
MD5f959f6e93a57f5cc9d72e046c87087c5
SHA1a7aead5a1962258fbfab1690eb1407b55ab7e176
SHA2561b86e0e3eed189ac0e05e70eeeddfd00dc13b8c464b636248e68fe0a7e60a685
SHA5123f761a8a63894c0ba0f4eebc1ed4fedb5125ee8afc33626b5b5511f8e4fb2af9af64e058f18eeeb034c0cab210ca46a051b748dc0bc63eec82baae68662b9421
-
Filesize
768KB
MD5abc997d5ff79c2b3f8030103ac1a9b4b
SHA11c6c7705fd1dfa8bc330b4ece0b5b2cef39ffe7d
SHA25657a9a3fe43aecefd9ed9f66d3e3b620465a7896f8a5af84f239146a9f1c5043e
SHA512d073869b3d6e81e07e6b5470a02e335074ee3443a9044d5c516c4499fa8c75a12424cc42a245a06ad2d8dac0a25665323aa9eb1fd253dbfc97613ca2a442717e
-
Filesize
3.0MB
MD5d5853f33a15c043ad49bd9183cc4093b
SHA1cffdab5e8979ea386042aeaf8f8563087db61d71
SHA256932257000fb1cf6dff1636f268f86fb61c9c1a8da0d5b80994854681e79ba845
SHA512bdd5851390bbfbe121025bc752c71c3467130addf301166dd717348f1eebeffb42088c4b0c3973fbc425d3ccc1a0749810190376e26b59a161d38f3ad1e703a4
-
Filesize
208B
MD5471e0833dc268ccce68f19f84d9402cf
SHA154ec2b79a7b13f258e82eee5515678aa9ad7fb64
SHA2564cb9a0c88fe5cf4a800bf74f7b4a3b3672042bcedc8b70ccf90a965d0e95d78f
SHA51229af30745373aabf9fb067c799856ccb61e44e11af37f8b15f0fe1411a2bb9fd71f087ebd97d97b57f8602b347a9fddd87cc230a44d6c61f7ed7dd46d1f921e6
-
Filesize
176B
MD521039c2411e293e70ba6583401450850
SHA13aeda479913e0a70fe8559513cae22a213a52f72
SHA256d4b4aff9347364c84f3fec51f3b877641887e8da969b8bbfc4e2cbf9eb301ead
SHA51298e6d297788b04bb8cd3191122ab8a2827c4e7ec42b5371b654192fff24c93883a8bca406069c2a9885b166d08c039c114bd26fb5c1befac1709eb2665ca1a89
-
Filesize
3.0MB
MD585636580a141e8e06e87ec391043c964
SHA1c91a6d41240454c1f83b4dd17374bb10fe5b97f5
SHA256de16b6e7fdf118daeb37e6c6c88bf82880c1e9fff5951e6c1502dc72514f0269
SHA512226ad223c093ebdf9cc437fa477f69df756e26b952615e2d7e0ca590293caf5c95688163b9063356371be9e6429969a1fa8c985181c4a5175bda5293ae1149ff