Malware Analysis Report

2024-08-06 13:18

Sample ID 240701-c3a4dsxarm
Target 2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
SHA256 2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579
Tags
quasar azorult ebayprofiles infostealer spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579

Threat Level: Known bad

The file 2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

quasar azorult ebayprofiles infostealer spyware trojan

Quasar RAT

Quasar family

Quasar payload

Azorult

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Enumerates connected drives

Suspicious use of SetThreadContext

AutoIT Executable

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-01 02:35

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 02:35

Reported

2024-07-01 02:38

Platform

win7-20240221-en

Max time kernel

3s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe"

Signatures

Azorult

trojan infostealer azorult

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windef.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windef.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2524 set thread context of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\windef.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 2524 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 2524 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 2524 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 2524 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 2524 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 2524 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 2524 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 1724 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 1724 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 1724 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 1724 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 2524 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 2524 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 2524 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 2524 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 2524 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 2524 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 2524 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 1724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2384 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 2384 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
PID 2384 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
PID 2384 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
PID 2384 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\vnc.exe

"C:\Users\Admin\AppData\Local\Temp\vnc.exe"

C:\Users\Admin\AppData\Local\Temp\windef.exe

"C:\Users\Admin\AppData\Local\Temp\windef.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 160

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f

C:\Windows\system32\taskeng.exe

taskeng.exe {ACF155F7-27B5-4E8C-8C7B-B54D5757B058} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Temp\vnc.exe

"C:\Users\Admin\AppData\Local\Temp\vnc.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

C:\Users\Admin\AppData\Local\Temp\windef.exe

"C:\Users\Admin\AppData\Local\Temp\windef.exe"

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
RU 5.8.88.191:443 tcp
RU 5.8.88.191:8080 tcp
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp
RU 5.8.88.191:8080 tcp

Files

\Users\Admin\AppData\Local\Temp\vnc.exe

MD5 b8ba87ee4c3fc085a2fed0d839aadce1
SHA1 b3a2e3256406330e8b1779199bb2b9865122d766
SHA256 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA512 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

C:\Users\Admin\AppData\Local\Temp\windef.exe

MD5 b4a202e03d4135484d0e730173abcc72
SHA1 01b30014545ea526c15a60931d676f9392ea0c70
SHA256 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

memory/2732-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2732-32-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/2732-43-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/2732-30-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/2524-29-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/2384-46-0x00000000001F0000-0x000000000024E000-memory.dmp

memory/2872-60-0x0000000000120000-0x000000000017E000-memory.dmp

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

MD5 d796d349aced85b42016ab367f4fcbbe
SHA1 d1cd903f653ec041d92b88197b4e7c0c8c69f3bb
SHA256 8e567dc358e6658f3af87d1814d927f6d30eaf5d5758c0744f86f56852a139d1
SHA512 a033a162ec47e88ef678d44dc8706f94fe1c9803a38a7297fcdaae8678dc04f615b2803ee81943db2016b3ac965a65d8abe84b9858c0d7c12b1b27e20a997033

memory/632-73-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

memory/632-71-0x0000000000020000-0x0000000000021000-memory.dmp

memory/632-74-0x00000000003B0000-0x000000000044C000-memory.dmp

memory/632-78-0x00000000003B0000-0x000000000044C000-memory.dmp

memory/3032-93-0x0000000000290000-0x00000000002EE000-memory.dmp

memory/2068-96-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2068-99-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2068-103-0x0000000000080000-0x00000000000A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MT4Q07JP.txt

MD5 35d864038bf15d93ea7a121a9f100aea
SHA1 f26135fc70a32f7645f531c0283b456949a09b3a
SHA256 c8662a5867d472b9df356819d6f136b23aff3fd3e6df3cf656415f0721a3107e
SHA512 70a4c05c961dc173fd315a797fdc939d63d842569bccf86a4fe62b9072e502c1b9390a9101755b9649436f782cdb03b38c392d4630d67b5755275b212f892127

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-01 02:35

Reported

2024-07-01 02:38

Platform

win10v2004-20240611-en

Max time kernel

6s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe"

Signatures

Azorult

trojan infostealer azorult

Quasar RAT

trojan spyware quasar
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windef.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 728 set thread context of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\windef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 728 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 728 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 728 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\vnc.exe
PID 740 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 740 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 740 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\vnc.exe C:\Windows\system32\svchost.exe
PID 728 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 728 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 728 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\windef.exe
PID 728 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 728 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 728 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 728 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 728 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe
PID 728 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 728 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 728 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 4748 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 4748 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 4748 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Windows\SysWOW64\schtasks.exe
PID 4748 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
PID 4748 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
PID 4748 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\windef.exe C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
PID 4432 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\vnc.exe

"C:\Users\Admin\AppData\Local\Temp\vnc.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

C:\Users\Admin\AppData\Local\Temp\windef.exe

"C:\Users\Admin\AppData\Local\Temp\windef.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 740 -ip 740

C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2f0e0415053f5b2cc1714fead108e51d7761dd18b5c4ee109da95635316d9579_NeikiAnalytics.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 548

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Temp\vnc.exe

"C:\Users\Admin\AppData\Local\Temp\vnc.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

C:\Users\Admin\AppData\Local\Temp\windef.exe

"C:\Users\Admin\AppData\Local\Temp\windef.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2704 -ip 2704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 520

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tb4lV5rTWKWx.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4432 -ip 4432

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NPYy71mFEbTh.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3556 -ip 3556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 2208

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe

"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 0x21.in udp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
RU 5.8.88.191:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 44.221.84.105:8000 0x21.in tcp
US 44.221.84.105:8000 0x21.in tcp
US 8.8.8.8:53 sockartek.icu udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
RU 5.8.88.191:443 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 sockartek.icu udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 5.8.88.191:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\vnc.exe

MD5 b8ba87ee4c3fc085a2fed0d839aadce1
SHA1 b3a2e3256406330e8b1779199bb2b9865122d766
SHA256 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA512 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

C:\Users\Admin\AppData\Local\Temp\windef.exe

MD5 b4a202e03d4135484d0e730173abcc72
SHA1 01b30014545ea526c15a60931d676f9392ea0c70
SHA256 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

memory/4748-19-0x000000007343E000-0x000000007343F000-memory.dmp

memory/2968-21-0x0000000000400000-0x0000000000420000-memory.dmp

memory/728-20-0x0000000000F10000-0x0000000000F11000-memory.dmp

memory/2968-29-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4748-30-0x0000000000920000-0x000000000097E000-memory.dmp

memory/4748-33-0x0000000005740000-0x0000000005CE4000-memory.dmp

memory/4748-34-0x00000000052C0000-0x0000000005352000-memory.dmp

memory/4748-35-0x0000000005360000-0x00000000053C6000-memory.dmp

memory/4748-36-0x0000000005F70000-0x0000000005F82000-memory.dmp

memory/4748-37-0x00000000064B0000-0x00000000064EC000-memory.dmp

memory/4432-45-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

MD5 fa722bc549a07300e8a1f2d745857c72
SHA1 1f3edaa5e614f50eede949cadcc5a588e0dbd609
SHA256 1cb07359cd0cf6e780483e2fc8fd45fe3a12dce8a1e5a4866fab96bbdd9d914a
SHA512 f83f8c515e99c4e0999f105eff4136a5590097836105f0a6fcb5214e041fa51013bd289d5ca86331fe75de3751269fc9eb01ffefb7a17754c76788895c4a371a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log

MD5 10eab9c2684febb5327b6976f2047587
SHA1 a12ed54146a7f5c4c580416aecb899549712449e
SHA256 f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA512 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

memory/4040-67-0x00000000003B0000-0x00000000003D0000-memory.dmp

memory/4040-73-0x00000000003B0000-0x00000000003D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tb4lV5rTWKWx.bat

MD5 e136527e7ab3d2a6c49179f479596fdd
SHA1 4ef210595e9f15ed6ac7dcccadb1d5a4938d265b
SHA256 ef4d3606a81694ad2885792bca805ebeadb6f4ad10037b63f4b18436602278e5
SHA512 4273726cab225b6c1b4ee8a84e1edf847b8e3183aca7a86cd7239a9f97f6e957a459e1f33f4c4c2e38319f2e754275a8c7bb4456d66ca51f2f5ee50476a8583f

C:\Users\Admin\AppData\Roaming\Logs\07-01-2024

MD5 b88fdb5bff9c4c7019269b432895c8e4
SHA1 ebcdd017d90959953c71df40dd94414e353f24e8
SHA256 28c42c376cf47d395eadbfb93f48d53a2e0811b0c88a7801b52bbe96b58f4f36
SHA512 2a40fa36c266f4cf78672f5b2f680b99b7f2c3fe9ba0749b32bd697ad4229a939764927f4eb3fc7c535151e3e9eb51b9463ef49abe2b56234e13f33ab9130f94

C:\Users\Admin\AppData\Local\Temp\NPYy71mFEbTh.bat

MD5 37d3be0f445287347f495603eb5a75d3
SHA1 2ee855cbcd7f83c88c75f22351e762dd6bf8a07f
SHA256 0267ca429f9ecf4b0b5c51562f9ced86e9a3a06c4bebcde335a3d4299fd5a888
SHA512 c7b0cd2094a7216c2fb6c2bed858996aa7c733d554d8d51fb4380422f5f75f5d3d2383591cf6ab74c53381ae20044e26cd9dc69f9c62993e15d1fb237730e54e

C:\Users\Admin\AppData\Roaming\Logs\07-01-2024

MD5 4e5a5489599d69200c73cf93b5badc46
SHA1 e7b7b507e10eea80250600ddca9de5b9f01ca444
SHA256 0c325fe2087f36f5b81761abb9fd232d43ffb8761e9e6a14680335bfe9192d00
SHA512 8edbe480ed1d4f8ce79dc407c0af15344eea532e0e2997a283817e52982483915c18d22497a11786ddff329dada6c72f5bd88f8a37c61b96f868d1042b2694d9