Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
18-05-2024 22:51
General
-
Target
19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
19451df9007da7ff2487be92a77fa250
-
SHA1
fca38124a0a074a09b1f34b322073acb2721b86e
-
SHA256
630001fa4519808fd9203d695549174388a58f1a164a0abe29478d3685a74f26
-
SHA512
80c62c24bd3a17fb0001074ab076a1d60ee65d39ada969c13d9057423fbcaaf447308712ec073c74c0e36e1131c10a4bdb86e9d03563f1fa2f447bb53f581dc9
-
SSDEEP
49152:4v5I22SsaNYfdPBldt698dBcjHj0+o+KMfutoGdZU8zTHHB72eh2NT:4v622SsaNYfdPBldt6+dBcjHj0+o+OJ
Malware Config
Extracted
quasar
1.4.1
Hawa Slave
having-bunny.gl.at.ply.gg:32381
c043154e-c770-47c9-83a7-6cfcfe2e8a81
-
encryption_key
89EA4FFE5F728FABCCAA501D85497C89A98F95CB
-
install_name
powershell.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\19451df9007da7ff2487be92a77fa250_NeikiAnalytics.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe"C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powershell.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\powershell.exeFilesize
3.1MB
MD519451df9007da7ff2487be92a77fa250
SHA1fca38124a0a074a09b1f34b322073acb2721b86e
SHA256630001fa4519808fd9203d695549174388a58f1a164a0abe29478d3685a74f26
SHA51280c62c24bd3a17fb0001074ab076a1d60ee65d39ada969c13d9057423fbcaaf447308712ec073c74c0e36e1131c10a4bdb86e9d03563f1fa2f447bb53f581dc9
-
memory/1792-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmpFilesize
4KB
-
memory/1792-1-0x0000000000D60000-0x0000000001084000-memory.dmpFilesize
3.1MB
-
memory/1792-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmpFilesize
9.9MB
-
memory/1792-8-0x000007FEF5830000-0x000007FEF621C000-memory.dmpFilesize
9.9MB
-
memory/2628-10-0x0000000000D30000-0x0000000001054000-memory.dmpFilesize
3.1MB
-
memory/2628-11-0x000007FEF5830000-0x000007FEF621C000-memory.dmpFilesize
9.9MB
-
memory/2628-9-0x000007FEF5830000-0x000007FEF621C000-memory.dmpFilesize
9.9MB
-
memory/2628-12-0x000007FEF5830000-0x000007FEF621C000-memory.dmpFilesize
9.9MB