Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
11s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 06:56
Behavioral task
behavioral1
Sample
6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
6756a56ac53bd379b5ac793bbca5bf00
-
SHA1
2a4b4911da4cc95ee9a24e429bd8bd2d46a8f1a0
-
SHA256
deeaefd1db42646e655d451603fbf1209075e2093441453a8d9773771258a208
-
SHA512
57ec1b3fa2a99a74b5ff91d98365d91856685ca65ed1a0e716ba93269c49d14878a826490f736d5d78fd59ad0ed0a167944c73e1832c56e7543b414e7c1b1ae7
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYR:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Yf
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
description flow ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 13 ip-api.com Process not Found 69 ip-api.com Process not Found -
Quasar payload 3 IoCs
resource yara_rule behavioral2/files/0x000800000002324a-12.dat family_quasar behavioral2/memory/3472-37-0x00000000004D0000-0x000000000052E000-memory.dmp family_quasar behavioral2/files/0x000700000002324f-58.dat family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
pid Process 3384 vnc.exe 3472 windef.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\y: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\z: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\a: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\j: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\p: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\s: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\g: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\t: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\v: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\x: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\q: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\b: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\e: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\n: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\o: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\m: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\r: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\u: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\h: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\i: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\k: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe File opened (read-only) \??\l: 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com 69 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000700000002324f-58.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3456 set thread context of 2472 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 95 PID 3384 set thread context of 4980 3384 vnc.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2252 1752 WerFault.exe 101 1020 4308 WerFault.exe 119 3244 4196 WerFault.exe 135 -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3664 schtasks.exe 1076 schtasks.exe 4672 schtasks.exe 3100 schtasks.exe 4688 schtasks.exe 1268 schtasks.exe 4236 schtasks.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2076 PING.EXE 5016 PING.EXE 2348 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3384 vnc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3456 wrote to memory of 3384 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 91 PID 3456 wrote to memory of 3384 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 91 PID 3456 wrote to memory of 3384 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 91 PID 3384 wrote to memory of 4980 3384 vnc.exe 93 PID 3384 wrote to memory of 4980 3384 vnc.exe 93 PID 3456 wrote to memory of 3472 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 94 PID 3456 wrote to memory of 3472 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 94 PID 3456 wrote to memory of 3472 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 94 PID 3384 wrote to memory of 4980 3384 vnc.exe 93 PID 3456 wrote to memory of 2472 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 95 PID 3456 wrote to memory of 2472 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 95 PID 3456 wrote to memory of 2472 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 95 PID 3456 wrote to memory of 2472 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 95 PID 3456 wrote to memory of 2472 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 95 PID 3384 wrote to memory of 4980 3384 vnc.exe 93 PID 3456 wrote to memory of 1268 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 96 PID 3456 wrote to memory of 1268 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 96 PID 3456 wrote to memory of 1268 3456 6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe 96 PID 3384 wrote to memory of 4980 3384 vnc.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe"1⤵
- Quasar RAT
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
PID:4980
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4236
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵PID:1752
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:3664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WY2pkLxNzgQu.bat" "4⤵PID:3452
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1012
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:5016
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵PID:4308
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:1076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yW8EtqyofNlU.bat" "6⤵PID:4728
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:2920
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:2348
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"7⤵PID:4196
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:3100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dedlvdEYbOar.bat" "8⤵PID:3524
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵PID:3416
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:2076
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"9⤵PID:3540
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
PID:4688
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 17688⤵
- Program crash
PID:3244
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 22766⤵
- Program crash
PID:1020
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 17364⤵
- Program crash
PID:2252
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6756a56ac53bd379b5ac793bbca5bf00_NeikiAnalytics.exe"2⤵PID:2472
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1752 -ip 17521⤵PID:2340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:4704
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵PID:3968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵PID:888
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵PID:3556
-
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵PID:1912
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4308 -ip 43081⤵PID:2076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4196 -ip 41961⤵PID:640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
208B
MD59f87c7ee56e605ee5fc3f478884a5cdc
SHA18c6767c30d90f30d43d61f9c265543db33da795b
SHA2563328ac91b3091a0cb7880bad0265d1eb30a1ebc744141811fe95f83024333be3
SHA5121e211ee9b11ec9a4cc989c9109cfa0ba27737f46e7e96aa945269eb5ecd95b1b95557a1071e86be766e1ea22cd61ff1a4c79b0bb44e12f9a4c5bc66934034244
-
Filesize
208B
MD586e3f18328a5c6691f64f8b060850bc7
SHA17b3806b8e7f8cb6910a42c8335d257f6397b8c12
SHA2566596275ccb25a3a61218a751cd51ac77187c7a3e53ba1cd70c5bb2c1af1330af
SHA5128665259a56571b1e3b4a9e601d5362f76b3261fb7bf6bb0e38916854ff06e9c3b59bee61bb75151c0255e8c1da606d569edda70243a1c16a9474b927d504524c
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
Filesize
208B
MD51fc8b1eb1015435a514ad79c1a228150
SHA1013990d6d8aa8182532ce40dc9a970723edc9464
SHA256169e8cfa0606803f784e86f17c86f37d2c7d4236a65d885da148b0ae0394da8e
SHA5129c3f072b38dfb19863b74c62f82d06e1c3147831f367912b18df2744e451265cd9a1f3f464771e25230ad55225f221690f6b81fcdabf56265a88e05c5173db9e
-
Filesize
224B
MD564a23f3257ae05458ebb4c6dba1e95c0
SHA1c5e40ac5b0d6b7bb48c310f67ebadbd7fa8019f6
SHA256da7932084082068a81e30885aee8b0efa7f27cc015e50bc84d7a231295ff5be7
SHA512b3eb897d5366a1470f68c7b4915e6e340f31252fe00d074dbf9dba645851d897cbc4fc115073be4043ce6e7567633ec1fdd87144792a399e4f10eb4f3647def3
-
Filesize
224B
MD5e63db007c94283bc413744ce70e91b3e
SHA1d971c813303753f0632a6a37f49337136521bd71
SHA256a69e2952bacd8322b452f5c62b56b0123ee7c8deb286a169b1d0bc23a41c3dd0
SHA512b80eb388195e87371f82376f841acbc4e733dca6c1c2f279bbca14729055ffe3994e65222f4dc69d57a05f7dae2fc424142442b1ecdb402462a29b388333ce34
-
Filesize
224B
MD5546f8b71bfc602f681a7c0d3da807fbc
SHA1dcef2afde71c411cef0d3bcf659836e93caee8fe
SHA256b76fe65f75fd20adb556c4e34273980475fec770d54448da3edd9f557ec8c787
SHA512c665f5541568111e8145a45c86843b9a66d8cc37b6354b6740e39e2683e279ffad3c1e12604c0c590d7c43ed63743b68f291b81a894622889de0b661a562cc19
-
Filesize
2.0MB
MD520ab1605e100ecb98a8c89e7bbd0d82e
SHA1b4bf3cd31172f1bb9cb50589e8c3aaebbbdc4cad
SHA256f24d62403c786ffa06e504f047d51f17e29789b9b53466e9ee0fb8544282218b
SHA5124b312c57a9c20f370ca64084d25c1602365e066a5b57282b546a3293b07f5802c147f2eb991847a3bbcaa76b39a3131be2b0eda82c89be496fd3d7e330c8f2e9