Malware Analysis Report

2024-08-06 11:49

Sample ID 240608-dtlzzagb9x
Target 873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe
SHA256 343ede22fe4ea40332033bb21aa899d9adbc2bacbae9fdddeb1380f8f47b3554
Tags
quasar dilly evasion spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

343ede22fe4ea40332033bb21aa899d9adbc2bacbae9fdddeb1380f8f47b3554

Threat Level: Known bad

The file 873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

quasar dilly evasion spyware themida trojan

Quasar payload

Quasar RAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Themida packer

Checks BIOS information in registry

Executes dropped EXE

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-08 03:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 03:18

Reported

2024-06-08 03:20

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp

Files

memory/2400-0-0x000000007418E000-0x000000007418F000-memory.dmp

memory/2400-1-0x0000000000D20000-0x0000000000D2A000-memory.dmp

memory/2400-2-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2400-3-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2400-4-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2400-5-0x000000007418E000-0x000000007418F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 03:18

Reported

2024-06-08 03:20

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 4456 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 4456 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 2488 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
PID 2488 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
PID 2488 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
PID 4576 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4576 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4576 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\en\defenderx64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\873a1e2ab5cd98979796cc8b3c3f66f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\loader.exe

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\en\defenderx64.exe

"C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 lvke-45989.portmap.host udp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
DE 193.161.193.99:45989 lvke-45989.portmap.host tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/4456-0-0x000000007512E000-0x000000007512F000-memory.dmp

memory/4456-1-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

memory/4456-2-0x0000000005AC0000-0x0000000006064000-memory.dmp

memory/4456-3-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/4456-4-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/4456-5-0x0000000005590000-0x000000000559A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\loader.exe

MD5 a7162b6eabcdb753b8ec85bda90af43c
SHA1 e837aa3e994604f84c3adb4f6a10dc602e326a3e
SHA256 ec5fa919b523ea3effb48a867b496d30a3bbf2208bc5652f812ebd0d87889ad0
SHA512 3aeb0173d2169d9607a9e9e12c6ded9a2e0ab68b3c522ef287d3d5245b8c9eceec903685e30698711678664c6e002f09c224b61eaadd0cd54e1646104da8a4e4

memory/2488-17-0x0000000000400000-0x000000000109A000-memory.dmp

memory/4456-18-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/2488-21-0x0000000076F20000-0x0000000077010000-memory.dmp

memory/2488-22-0x0000000076F20000-0x0000000077010000-memory.dmp

memory/2488-23-0x0000000076F20000-0x0000000077010000-memory.dmp

memory/2488-24-0x0000000076F20000-0x0000000077010000-memory.dmp

memory/2488-25-0x0000000076F20000-0x0000000077010000-memory.dmp

memory/2488-26-0x0000000076F20000-0x0000000077010000-memory.dmp

memory/2488-20-0x0000000076F20000-0x0000000077010000-memory.dmp

memory/2488-19-0x0000000076F40000-0x0000000076F41000-memory.dmp

memory/2488-28-0x0000000000400000-0x000000000109A000-memory.dmp

memory/2488-29-0x0000000000400000-0x000000000109A000-memory.dmp

memory/4576-36-0x0000000000400000-0x000000000109A000-memory.dmp

memory/2488-37-0x0000000000400000-0x000000000109A000-memory.dmp

memory/2488-38-0x0000000076F20000-0x0000000077010000-memory.dmp

memory/4576-40-0x0000000000400000-0x000000000109A000-memory.dmp

memory/4576-41-0x0000000000400000-0x000000000109A000-memory.dmp

memory/4576-42-0x0000000006E00000-0x0000000007418000-memory.dmp

memory/4576-43-0x0000000006940000-0x0000000006990000-memory.dmp

memory/4576-44-0x0000000006B30000-0x0000000006BE2000-memory.dmp

memory/4456-46-0x000000007512E000-0x000000007512F000-memory.dmp

memory/4456-47-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/4576-49-0x0000000000400000-0x000000000109A000-memory.dmp