Malware Analysis Report

2024-10-23 19:04

Sample ID 240629-grrdfsvgrq
Target 71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe
SHA256 71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c
Tags
quasar usr persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c

Threat Level: Known bad

The file 71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

quasar usr persistence spyware trojan

Quasar RAT

Quasar payload

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 06:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 06:02

Reported

2024-06-29 06:05

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\isocket = "C:\\Users\\Admin\\isocket.pif" C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2436 wrote to memory of 348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2436 wrote to memory of 2100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2436 wrote to memory of 2100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 2436 wrote to memory of 2100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 348 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 348 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 348 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 348 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 348 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 348 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 348 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 348 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 348 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 348 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 348 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 348 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wfUIjfehRdMg.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 1460

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 pv8stresser.xyz udp

Files

memory/2464-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

memory/2464-1-0x0000000000ED0000-0x0000000000F82000-memory.dmp

memory/2464-2-0x00000000001B0000-0x00000000001D8000-memory.dmp

memory/2464-4-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-9-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-37-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-41-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-39-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-35-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-34-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-31-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-29-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-27-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-25-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-23-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-21-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-19-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-17-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-15-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-13-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-11-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-7-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-5-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-59-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-67-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-65-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-63-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-61-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-57-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-55-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-53-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-51-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-49-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-47-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-45-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-43-0x00000000001B0000-0x00000000001D1000-memory.dmp

memory/2464-70-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2464-71-0x0000000000BD0000-0x0000000000C5C000-memory.dmp

memory/2436-83-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wfUIjfehRdMg.bat

MD5 aaa0c1403d2a6866bfd6560efb72c6ee
SHA1 e51cb590b4c6c6ca41348adcb79f20b48f48b004
SHA256 2679a5368c6b53e90a57610fdce7af867807f4692534ea59cca986c195bd9b60
SHA512 d02beb8cf1c7b40791c559177c08b6729c988b1a043d1b5e710a0f43be6e82ed56de809f2db8282063a0505ea179a51b839f43ebcf9f347ecf34ff885c87a313

memory/2464-94-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2284-95-0x0000000000900000-0x0000000000912000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 06:02

Reported

2024-06-29 06:05

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isocket = "C:\\Users\\Admin\\isocket.pif" C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\71c5aa29fc4e8f9f853d757e40984e5e6b6376f5d241c21571671efb08653c3c_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

memory/2604-0-0x000000007484E000-0x000000007484F000-memory.dmp

memory/2604-1-0x0000000000D90000-0x0000000000E42000-memory.dmp

memory/2604-2-0x0000000005730000-0x0000000005758000-memory.dmp

memory/2604-17-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-13-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-15-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-67-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-65-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-63-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-61-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-59-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-58-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-53-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-51-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-49-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-47-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-45-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-43-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-41-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-37-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-35-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-33-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-31-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-29-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-27-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-25-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-23-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-21-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-11-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-9-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-7-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-5-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-55-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-39-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-20-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-4-0x0000000005730000-0x0000000005751000-memory.dmp

memory/2604-70-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/2604-71-0x0000000005950000-0x00000000059EC000-memory.dmp

memory/2604-72-0x00000000058B0000-0x000000000593C000-memory.dmp

memory/2604-73-0x000000007484E000-0x000000007484F000-memory.dmp

memory/2604-74-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/2604-76-0x0000000074840000-0x0000000074FF0000-memory.dmp