Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 03:30
Behavioral task
behavioral1
Sample
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
-
Size
534KB
-
MD5
828849f08b62df77ea83d35202ef5210
-
SHA1
a44599acea03322dee6129e8bc28da56a7edfc8f
-
SHA256
828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b
-
SHA512
54dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a
-
SSDEEP
6144:W8fGYJngzxsoIasFzFMkb7ShY97hNbE/55qiIqtqVh06vOGy3V8/GV0jivyabBYv:rkxfIayFMLqheh8KqVh06vDv
Malware Config
Extracted
quasar
2.1.0.0
Office04
0.tcp.sa.ngrok.io:19439
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
xzHeU68ynlwXnJHWc12M
-
install_name
$77lol.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77lol
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1276-1-0x0000000000B90000-0x0000000000C1C000-memory.dmp disable_win_def \Users\Admin\AppData\Roaming\SubDir\$77lol.exe disable_win_def behavioral1/memory/2684-9-0x00000000008A0000-0x000000000092C000-memory.dmp disable_win_def -
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Quasar payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1276-1-0x0000000000B90000-0x0000000000C1C000-memory.dmp family_quasar \Users\Admin\AppData\Roaming\SubDir\$77lol.exe family_quasar behavioral1/memory/2684-9-0x00000000008A0000-0x000000000092C000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
Processes:
$77lol.exepid process 2684 $77lol.exe -
Loads dropped DLL 1 IoCs
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exepid process 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2652 schtasks.exe 2508 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exe828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exepid process 2588 powershell.exe 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 2912 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exepowershell.exe$77lol.exe828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2684 $77lol.exe Token: SeDebugPrivilege 2684 $77lol.exe Token: SeDebugPrivilege 2912 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77lol.exepid process 2684 $77lol.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe$77lol.execmd.execmd.exedescription pid process target process PID 1276 wrote to memory of 2652 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe schtasks.exe PID 1276 wrote to memory of 2652 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe schtasks.exe PID 1276 wrote to memory of 2652 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe schtasks.exe PID 1276 wrote to memory of 2652 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe schtasks.exe PID 1276 wrote to memory of 2684 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe $77lol.exe PID 1276 wrote to memory of 2684 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe $77lol.exe PID 1276 wrote to memory of 2684 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe $77lol.exe PID 1276 wrote to memory of 2684 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe $77lol.exe PID 1276 wrote to memory of 2588 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe powershell.exe PID 1276 wrote to memory of 2588 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe powershell.exe PID 1276 wrote to memory of 2588 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe powershell.exe PID 1276 wrote to memory of 2588 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe powershell.exe PID 2684 wrote to memory of 2508 2684 $77lol.exe schtasks.exe PID 2684 wrote to memory of 2508 2684 $77lol.exe schtasks.exe PID 2684 wrote to memory of 2508 2684 $77lol.exe schtasks.exe PID 2684 wrote to memory of 2508 2684 $77lol.exe schtasks.exe PID 1276 wrote to memory of 2144 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 1276 wrote to memory of 2144 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 1276 wrote to memory of 2144 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 1276 wrote to memory of 2144 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 2144 wrote to memory of 1860 2144 cmd.exe cmd.exe PID 2144 wrote to memory of 1860 2144 cmd.exe cmd.exe PID 2144 wrote to memory of 1860 2144 cmd.exe cmd.exe PID 2144 wrote to memory of 1860 2144 cmd.exe cmd.exe PID 1276 wrote to memory of 1584 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 1276 wrote to memory of 1584 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 1276 wrote to memory of 1584 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 1276 wrote to memory of 1584 1276 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 1584 wrote to memory of 1620 1584 cmd.exe chcp.com PID 1584 wrote to memory of 1620 1584 cmd.exe chcp.com PID 1584 wrote to memory of 1620 1584 cmd.exe chcp.com PID 1584 wrote to memory of 1620 1584 cmd.exe chcp.com PID 1584 wrote to memory of 1512 1584 cmd.exe PING.EXE PID 1584 wrote to memory of 1512 1584 cmd.exe PING.EXE PID 1584 wrote to memory of 1512 1584 cmd.exe PING.EXE PID 1584 wrote to memory of 1512 1584 cmd.exe PING.EXE PID 1584 wrote to memory of 2912 1584 cmd.exe 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe PID 1584 wrote to memory of 2912 1584 cmd.exe 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe PID 1584 wrote to memory of 2912 1584 cmd.exe 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe PID 1584 wrote to memory of 2912 1584 cmd.exe 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77lol" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2652 -
C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe"C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77lol" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*3⤵PID:1860
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\i1ZkhMPmEVmQ.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1620
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
244B
MD5a53a58eaefe31ffa7b20ec5f0402fc60
SHA1cb7dff79003d3a43082664ab8669e03a86319187
SHA2564d8ccd0a2dcac5abc49996fac8ef2a3425942683fde46a4836c66c9c7d8fed54
SHA51237714e5375e23681e1d07637041599c931834836e694157b561b332891c5819170ecdaa08d24c8a45216da53a05b0258e86cdfe76ff70249cea97e1262efb63c
-
Filesize
534KB
MD5828849f08b62df77ea83d35202ef5210
SHA1a44599acea03322dee6129e8bc28da56a7edfc8f
SHA256828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b
SHA51254dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a