Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 03:30

General

  • Target

    828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe

  • Size

    534KB

  • MD5

    828849f08b62df77ea83d35202ef5210

  • SHA1

    a44599acea03322dee6129e8bc28da56a7edfc8f

  • SHA256

    828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b

  • SHA512

    54dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a

  • SSDEEP

    6144:W8fGYJngzxsoIasFzFMkb7ShY97hNbE/55qiIqtqVh06vOGy3V8/GV0jivyabBYv:rkxfIayFMLqheh8KqVh06vDv

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

0.tcp.sa.ngrok.io:19439

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes
  • encryption_key

    xzHeU68ynlwXnJHWc12M

  • install_name

    $77lol.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $77lol

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Loads dropped DLL
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "$77lol" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2652
    • C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "$77lol" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:1860
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\i1ZkhMPmEVmQ.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
            PID:1620
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:1512
          • C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
            "C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Cab20CC.tmp

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\Local\Temp\Tar20DE.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\AppData\Local\Temp\i1ZkhMPmEVmQ.bat

        Filesize

        244B

        MD5

        a53a58eaefe31ffa7b20ec5f0402fc60

        SHA1

        cb7dff79003d3a43082664ab8669e03a86319187

        SHA256

        4d8ccd0a2dcac5abc49996fac8ef2a3425942683fde46a4836c66c9c7d8fed54

        SHA512

        37714e5375e23681e1d07637041599c931834836e694157b561b332891c5819170ecdaa08d24c8a45216da53a05b0258e86cdfe76ff70249cea97e1262efb63c

      • \Users\Admin\AppData\Roaming\SubDir\$77lol.exe

        Filesize

        534KB

        MD5

        828849f08b62df77ea83d35202ef5210

        SHA1

        a44599acea03322dee6129e8bc28da56a7edfc8f

        SHA256

        828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b

        SHA512

        54dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a

      • memory/1276-67-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

        Filesize

        4KB

      • memory/1276-2-0x0000000074B70000-0x000000007525E000-memory.dmp

        Filesize

        6.9MB

      • memory/1276-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

        Filesize

        4KB

      • memory/1276-68-0x0000000074B70000-0x000000007525E000-memory.dmp

        Filesize

        6.9MB

      • memory/1276-1-0x0000000000B90000-0x0000000000C1C000-memory.dmp

        Filesize

        560KB

      • memory/1276-80-0x0000000074B70000-0x000000007525E000-memory.dmp

        Filesize

        6.9MB

      • memory/2684-10-0x0000000074B70000-0x000000007525E000-memory.dmp

        Filesize

        6.9MB

      • memory/2684-11-0x0000000074B70000-0x000000007525E000-memory.dmp

        Filesize

        6.9MB

      • memory/2684-9-0x00000000008A0000-0x000000000092C000-memory.dmp

        Filesize

        560KB

      • memory/2684-69-0x0000000074B70000-0x000000007525E000-memory.dmp

        Filesize

        6.9MB

      • memory/2684-70-0x0000000074B70000-0x000000007525E000-memory.dmp

        Filesize

        6.9MB