azorult | 49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1460	vnc.exe
1900	windef.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\o:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\u:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\g:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\l:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\n:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\m:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\s:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\t:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\w:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\y:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\e:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\j:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\k:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\z:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\r:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\v:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\x:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\h:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\i:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\p:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\a:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\b:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
File opened (read-only)	\??\q:	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023248-54.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 2500	1460	vnc.exe	94
PID 4948 set thread context of 3360	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3932	1536	WerFault.exe	109

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4332	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1680	schtasks.exe
3708	schtasks.exe
4964	schtasks.exe
4856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1460	vnc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1460	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	92
PID 4948 wrote to memory of 1460	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	92
PID 4948 wrote to memory of 1460	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	92
PID 1460 wrote to memory of 2500	1460	vnc.exe	94
PID 1460 wrote to memory of 2500	1460	vnc.exe	94
PID 4948 wrote to memory of 1900	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	95
PID 4948 wrote to memory of 1900	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	95
PID 4948 wrote to memory of 1900	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	95
PID 1460 wrote to memory of 2500	1460	vnc.exe	94
PID 4948 wrote to memory of 3360	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	96
PID 4948 wrote to memory of 3360	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	96
PID 4948 wrote to memory of 3360	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	96
PID 1460 wrote to memory of 2500	1460	vnc.exe	94
PID 4948 wrote to memory of 3360	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	96
PID 4948 wrote to memory of 3360	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	96
PID 1460 wrote to memory of 2500	1460	vnc.exe	94
PID 4948 wrote to memory of 4964	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	97
PID 4948 wrote to memory of 4964	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	97
PID 4948 wrote to memory of 4964	4948	49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe	97

C:\Users\Admin\AppData\Local\Temp\49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    - Maps connected drives based on registry
    PID:2500
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  - Executes dropped EXE
  PID:1900
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4856
- - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80xXuzNOkXj9.bat" "
      4⤵
      PID:3304
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4332
    - - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        5⤵
        
        PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 2292
      4⤵
      Program crash
      PID:3932
- C:\Users\Admin\AppData\Local\Temp\49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\49aafee164d62e048c96d3a4f8d5b19427dd7850fda585c6456f277633411369_NeikiAnalytics.exe"
  2⤵
  PID:3360
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4792 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3080

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  PID:3672
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:3632
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  PID:1412
- C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
  "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
  2⤵
  PID:4120
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1536 -ip 1536
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery

4