azorult | deeaefd1db42646e655d451603fbf1209075e2093441453a8d9773771258a208

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
3384	vnc.exe
3472	windef.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\w:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\y:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\z:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\a:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\j:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\p:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\s:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\g:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\t:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\v:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\x:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\q:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\b:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\e:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\n:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\o:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\m:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\r:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\u:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\h:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\i:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\k:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
File opened (read-only)	\??\l:	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
69	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002324f-58.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3456 set thread context of 2472	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	95
PID 3384 set thread context of 4980	3384	vnc.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2252	1752	WerFault.exe	101
1020	4308	WerFault.exe	119
3244	4196	WerFault.exe	135

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3664	schtasks.exe
1076	schtasks.exe
4672	schtasks.exe
3100	schtasks.exe
4688	schtasks.exe
1268	schtasks.exe
4236	schtasks.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2076	PING.EXE
5016	PING.EXE
2348	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3384	vnc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3384	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	91
PID 3456 wrote to memory of 3384	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	91
PID 3456 wrote to memory of 3384	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	91
PID 3384 wrote to memory of 4980	3384	vnc.exe	93
PID 3384 wrote to memory of 4980	3384	vnc.exe	93
PID 3456 wrote to memory of 3472	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	94
PID 3456 wrote to memory of 3472	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	94
PID 3456 wrote to memory of 3472	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	94
PID 3384 wrote to memory of 4980	3384	vnc.exe	93
PID 3456 wrote to memory of 2472	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	95
PID 3456 wrote to memory of 2472	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	95
PID 3456 wrote to memory of 2472	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	95
PID 3456 wrote to memory of 2472	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	95
PID 3456 wrote to memory of 2472	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	95
PID 3384 wrote to memory of 4980	3384	vnc.exe	93
PID 3456 wrote to memory of 1268	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	96
PID 3456 wrote to memory of 1268	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	96
PID 3456 wrote to memory of 1268	3456	6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe	96
PID 3384 wrote to memory of 4980	3384	vnc.exe	93

C:\Users\Admin\AppData\Local\Temp\6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe"
1⤵
- Quasar RAT
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    - Maps connected drives based on registry
    PID:4980
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  - Executes dropped EXE
  PID:3472
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4236
- - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WY2pkLxNzgQu.bat" "
      4⤵
      PID:3452
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1012
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:5016
    - - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        5⤵
        
        PID:4308
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:1076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yW8EtqyofNlU.bat" "
        6⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        7⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dedlvdEYbOar.bat" "
        8⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        9⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        10⤵
        Creates scheduled task(s)
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 1768
        8⤵
        Program crash
        
        PID:3244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 2276
        6⤵
        Program crash
        
        PID:1020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1736
      4⤵
      Program crash
      PID:2252
- C:\Users\Admin\AppData\Local\Temp\6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe"
  2⤵
  PID:2472
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1752 -ip 1752
1⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:4704

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
1⤵
PID:2656
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  PID:3968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:888
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  PID:3556
- C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
  "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
  2⤵
  PID:1912
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4308 -ip 4308
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4196 -ip 4196
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery