Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 03:30
Behavioral task
behavioral1
Sample
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
-
Size
534KB
-
MD5
828849f08b62df77ea83d35202ef5210
-
SHA1
a44599acea03322dee6129e8bc28da56a7edfc8f
-
SHA256
828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b
-
SHA512
54dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a
-
SSDEEP
6144:W8fGYJngzxsoIasFzFMkb7ShY97hNbE/55qiIqtqVh06vOGy3V8/GV0jivyabBYv:rkxfIayFMLqheh8KqVh06vDv
Malware Config
Extracted
quasar
2.1.0.0
Office04
0.tcp.sa.ngrok.io:19439
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
xzHeU68ynlwXnJHWc12M
-
install_name
$77lol.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77lol
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/2532-1-0x00000000004F0000-0x000000000057C000-memory.dmp disable_win_def C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe disable_win_def -
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2532-1-0x00000000004F0000-0x000000000057C000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
$77lol.exepid process 536 $77lol.exe -
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3596 schtasks.exe 3944 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exe828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exepid process 4736 powershell.exe 4736 powershell.exe 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe 832 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exepowershell.exe$77lol.exe828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 536 $77lol.exe Token: SeDebugPrivilege 536 $77lol.exe Token: SeDebugPrivilege 832 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77lol.exepid process 536 $77lol.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe$77lol.execmd.execmd.exedescription pid process target process PID 2532 wrote to memory of 3596 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe schtasks.exe PID 2532 wrote to memory of 3596 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe schtasks.exe PID 2532 wrote to memory of 3596 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe schtasks.exe PID 2532 wrote to memory of 536 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe $77lol.exe PID 2532 wrote to memory of 536 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe $77lol.exe PID 2532 wrote to memory of 536 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe $77lol.exe PID 2532 wrote to memory of 4736 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe powershell.exe PID 2532 wrote to memory of 4736 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe powershell.exe PID 2532 wrote to memory of 4736 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe powershell.exe PID 536 wrote to memory of 3944 536 $77lol.exe schtasks.exe PID 536 wrote to memory of 3944 536 $77lol.exe schtasks.exe PID 536 wrote to memory of 3944 536 $77lol.exe schtasks.exe PID 2532 wrote to memory of 1656 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 2532 wrote to memory of 1656 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 2532 wrote to memory of 1656 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 1656 wrote to memory of 5040 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 5040 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 5040 1656 cmd.exe cmd.exe PID 2532 wrote to memory of 3332 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 2532 wrote to memory of 3332 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 2532 wrote to memory of 3332 2532 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe cmd.exe PID 3332 wrote to memory of 2596 3332 cmd.exe chcp.com PID 3332 wrote to memory of 2596 3332 cmd.exe chcp.com PID 3332 wrote to memory of 2596 3332 cmd.exe chcp.com PID 3332 wrote to memory of 3628 3332 cmd.exe PING.EXE PID 3332 wrote to memory of 3628 3332 cmd.exe PING.EXE PID 3332 wrote to memory of 3628 3332 cmd.exe PING.EXE PID 3332 wrote to memory of 832 3332 cmd.exe 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe PID 3332 wrote to memory of 832 3332 cmd.exe 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe PID 3332 wrote to memory of 832 3332 cmd.exe 828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77lol" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3596
-
-
C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe"C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77lol" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\$77lol.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3944
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*3⤵PID:5040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UPJd1GJOGNfo.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:2596
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\828849f08b62df77ea83d35202ef5210_NeikiAnalytics.exe.log
Filesize1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
244B
MD56772c3f2ecee5cc657017a506a5deffb
SHA14402f0d7cdf26e446b6bd246b6284c8c4bf57ffe
SHA25650ddf26cc1c71b6a850e5e8ae8eea884aa48b0d2fc6f57c790aec48a6c4c7e28
SHA5128890fa7f04796fc2db6451cb40cfd8044e5e799166cf5472f3b8744ceefd19c4cc5ed936098b418681e0162c10f415eab99af3d9605c0ffe31ae79e97f67679a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
534KB
MD5828849f08b62df77ea83d35202ef5210
SHA1a44599acea03322dee6129e8bc28da56a7edfc8f
SHA256828174bf347381e23da462e1d7532958389ecfb00639f6eb5f6001d9f6ac199b
SHA51254dfb7f51ce2fe101ec9033b66be916f0b08052da50c5134f5f8dcc96b5cc250c88679337b6a3a5265c58955d2f8bbfda9d4fd364088635cd6e2201585b5513a