Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/06/2024, 22:39

General

  • Target

    1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe

  • Size

    3.9MB

  • MD5

    4f90d7054ab313f8b7e02c63fb3bf6a0

  • SHA1

    8166579a770cfd69805ef2158218960a8087ef34

  • SHA256

    1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913

  • SHA512

    26ccea2e76bbe15b765cbe3026e971b0e107d87541f81c5c3ecab436bdc45b6b6a6735eaa9aafbbfdbc514916b51c2e21acf8a293a25b62fe635a0eff7c170cb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpubVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1808609bd196e8520941ce2b221bf894807685087b1c0dc436d8384294ac7913_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1620
    • C:\AdobeFS\adobloc.exe
      C:\AdobeFS\adobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeFS\adobloc.exe

    Filesize

    3.9MB

    MD5

    3fd9ef6bce3b10278159ed28450e13e3

    SHA1

    96b15b235f58af143f291d076427610f809c694a

    SHA256

    e0315d8097eebb05f3bc2ef49b0ca76b97d0ef9f8760c7cb195eb327089f8eec

    SHA512

    cb0bc40ab25e3ec4a14b20593231c8c1cda8377a19ee3df9d30420e77c17ae74745e07961dbaa2e8878de3a4a0bf0397ac409098dea0dbb0fa1aedb5f2076b80

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    8cffa05aaf1057fa9aa2f6a0f65b3915

    SHA1

    d13a4b481fddafa6b9931239b7a8064c273aab39

    SHA256

    4bd838e321d2fa8b09a749c0eeb63140b2182dc37b1b4cc046cc17f14edeac5e

    SHA512

    cc4bc71915cd63ad933255cf9c597d0f57f5d1feb6557f7ce1d3dbbadc30cb20d70436c948b8b02c98bb2efc7fea6c876ecc1289902339674666f7b58228b250

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    0ac5496c0f5065894058f4b60d98a7c0

    SHA1

    5aa9ada5dffc34bff55e68e35e49084c77a6b8b6

    SHA256

    02c59313328eb0640eb4a13c7daa9c4e72d34afb67d2f8d336423c4b1f308c6b

    SHA512

    e139d1630dbb9ff5c857281f971644ffda12375f29c5ab10a1089fdd40bf3aed67b877ce88d54c0352dbb1ddf4e5fd8cf0fc52a58ecd92d78824cfaec934f85a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    3.9MB

    MD5

    d3a8f44f1649b24ba2d0e6bd06fe59d5

    SHA1

    ee698d4afbf9660ce5b5750f905acd1d7d8d3dbf

    SHA256

    4fb0fa228ac77f60a9bd3ee99ba012a7448a9e889c957b5e91f355d8da795ae1

    SHA512

    ad8b2c3f6dcf3d33028b2e24b9cede5b1818da20f6f6b910a70d7a00729e425e1a746187aade90fb4fcaa6fd658679b03c0a0c3d983fbe1ac9c74197629a39a1

  • C:\VidMR\boddevloc.exe

    Filesize

    5KB

    MD5

    c346de548654eab088b033eeb72e5ab8

    SHA1

    61d5e6da50d6f7b00217db8a4faeabab00794f6b

    SHA256

    1521865ffa35423f24e6bdb83604d41a34fc1c35747152e884821e8d8880940c

    SHA512

    71996885c5bf78369a6b117b33876a4ff88a61e474d45695d776216dbf0c5c67b726e0167ec40d11578f9ff9e4f05d4d09be5b84116cab7e67d7e09c4188b2df

  • C:\VidMR\boddevloc.exe

    Filesize

    97KB

    MD5

    cf1de8d0c96c032a98804976977b3eda

    SHA1

    6593c371927d1ffecc28e157cc78dffdb5959f83

    SHA256

    ccaf92365f21e15400c23df13a91454ef04b581455b6f1738877863f7083b4f0

    SHA512

    e8736c1e85c0a9ee7a6f65c2da9d264affaced060e6431fe238b3b42b0858fdca970b5f3828ef68bae020f61216729fa1eb2ea2126aaa80613a7a75f76786de8