Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 11:15
Behavioral task
behavioral1
Sample
51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
51e7c3f9ca82945731cb92d976eda8b0
-
SHA1
875977cf0c16aacc9caf2157854cd6ae48f5ec58
-
SHA256
134755c58e6059b79e9713bd2510ba6d6035fbfcd5158374588102fac9030830
-
SHA512
b88ad7bd53dc82f732dba8ef31ed9c32e503bf20a730ea8588bea9f14ba97e59f262e90153f86f7b384c65efb9e0cd56fbcd2fbe071cb78559cc8ed6c5681e7f
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY8:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YS
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/files/0x00070000000233f2-12.dat family_quasar behavioral2/memory/3592-20-0x0000000000B10000-0x0000000000B6E000-memory.dmp family_quasar behavioral2/files/0x00090000000233f5-51.dat family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe -
Executes dropped EXE 3 IoCs
pid Process 3956 vnc.exe 3592 windef.exe 748 winsock.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\m: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\n: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\o: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\y: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\g: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\i: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\j: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\z: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\q: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\s: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\u: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\v: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\x: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\a: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\b: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\e: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\h: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\r: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\w: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\k: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\p: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe File opened (read-only) \??\t: 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00090000000233f5-51.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1020 set thread context of 1884 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 2764 3956 WerFault.exe 83 988 748 WerFault.exe 97 4432 4772 WerFault.exe 124 4620 5004 WerFault.exe 120 -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4704 schtasks.exe 208 schtasks.exe 2904 schtasks.exe 4116 schtasks.exe 2784 schtasks.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2804 PING.EXE 2708 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3592 windef.exe Token: SeDebugPrivilege 748 winsock.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 748 winsock.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1020 wrote to memory of 3956 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 83 PID 1020 wrote to memory of 3956 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 83 PID 1020 wrote to memory of 3956 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 83 PID 1020 wrote to memory of 3592 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 85 PID 1020 wrote to memory of 3592 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 85 PID 1020 wrote to memory of 3592 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 85 PID 3956 wrote to memory of 1400 3956 vnc.exe 86 PID 3956 wrote to memory of 1400 3956 vnc.exe 86 PID 3956 wrote to memory of 1400 3956 vnc.exe 86 PID 1020 wrote to memory of 1884 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 89 PID 1020 wrote to memory of 1884 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 89 PID 1020 wrote to memory of 1884 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 89 PID 1020 wrote to memory of 1884 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 89 PID 1020 wrote to memory of 1884 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 89 PID 1020 wrote to memory of 4704 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 91 PID 1020 wrote to memory of 4704 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 91 PID 1020 wrote to memory of 4704 1020 51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe 91 PID 3592 wrote to memory of 208 3592 windef.exe 95 PID 3592 wrote to memory of 208 3592 windef.exe 95 PID 3592 wrote to memory of 208 3592 windef.exe 95 PID 3592 wrote to memory of 748 3592 windef.exe 97 PID 3592 wrote to memory of 748 3592 windef.exe 97 PID 3592 wrote to memory of 748 3592 windef.exe 97 PID 748 wrote to memory of 2904 748 winsock.exe 98 PID 748 wrote to memory of 2904 748 winsock.exe 98 PID 748 wrote to memory of 2904 748 winsock.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵PID:1400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5483⤵
- Program crash
PID:2764
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:208
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98XZmpy1bJmm.bat" "4⤵PID:3520
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1140
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2804
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵PID:5004
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:4116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vc58J22htDFF.bat" "6⤵PID:3488
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:2672
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:2708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 22286⤵
- Program crash
PID:4620
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 19684⤵
- Program crash
PID:988
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe"2⤵PID:1884
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3956 -ip 39561⤵PID:2120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 748 -ip 7481⤵PID:4828
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵PID:4772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵PID:2640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 5203⤵
- Program crash
PID:4432
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵PID:2976
-
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵PID:2356
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4772 -ip 47721⤵PID:4844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5004 -ip 50041⤵PID:3864
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1336
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵PID:4168
-
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
208B
MD5ab4cb30767b795f71518d9a763d86471
SHA133b36327235b5a2b0f47a05ecc66821b0bd28d1d
SHA256d6ac6831eff9171611f71273dac99be9cab219fdab4ce10eb34c4858f102c133
SHA5120c71f2701a545c926d5bf41ae6ab16d445fc45516d109cd7c82865bab085a7152d6ecd9e84f255c5f50e8e997d387c092e59699291ff9b83a84e0812a12fe66d
-
Filesize
208B
MD57eb1bf413af15d33cf90c7ded6d5c2c3
SHA1cb9f985db4d79296b14c12d81281001982e9fe97
SHA25623f4e80d25456b263aeb9c8311fe5f969cfbab9af55c8ed15abf99345b2893de
SHA512821af16eb786722ca0548afa369fe33702d344166f524e251247b4280a9bb78e2414d19eef703d983cc5af367935385beb064241f8d1dfab270096dea63fc9b0
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
Filesize
224B
MD52100ad29b60792b771578bf29b706c90
SHA1411b28f42e2b38ef6e0f0153cf037f50c6bcd032
SHA2562da740b4c2166b6f5af3d28d63748c46084fcbc69abb75a19ccf1b5c9678252a
SHA5122a7dd2a442d20f41ec912aaface3b077f4215928af9d39815dc1c6413742ab20b6ea84f31f213373bdd13603d06aff5be184d91bb1d9b2dd2d3ed0d7d2b2b93d
-
Filesize
2.0MB
MD5f54a46489c8acedce145937ac6a65cba
SHA1f4ee5a06d1c1597508b5e3d10d5ff1a747133d08
SHA2563ec2f68fed7fe1007df45760ab5cd0e5116f5500b7719d0b45e0369364b061c3
SHA512f4d4f2a3eb2b162e12e6032dddf7dedb559b7914f8c8ffe1ae061d31013a45705ffff4223337eb100d9bad1363cca187d0f7b6f59bc712c288eba56785b395ed