quasar | 89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Size

341KB
MD5

12727d1a8a1cde56fa3715f6ba9ecdb0
SHA1

112ff64a9dfccadd7ae4618dbaf6e537b68a058f
SHA256

89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93
SHA512

8502fafdad4ea9f430c6ce9f51f2686e56a13a9e23cd8cda0d420587ce11631efa076e38aa617e6ee0481331edc5e3954cc96f16b6dc1be33ad75e71cd36a7ef
SSDEEP

6144:ubZJrgLF70h2Jn/9A2LnugnTzTzTFNDMbMIIAZk1AlC4HCf0VVp8:G47gY/OanucQIAq94i8Vr8

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

keke78410-60142.portmap.host:60142

Mutex

QSR_MUTEX_cOv6uh77YaEpqR2GFj

Attributes

encryption_key
8vuP81UPGlFDNPdrxBd5
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/3848-1-0x0000000000AE0000-0x0000000000B3C000-memory.dmp family_quasar

resource	yara_rule
behavioral2/memory/3848-1-0x0000000000AE0000-0x0000000000B3C000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe

Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
20 ip-api.com
22 ip-api.com
24 ip-api.com
3 ip-api.com
11 api.ipify.org
16 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

512 PING.EXE
4460 PING.EXE
4552 PING.EXE
4412 PING.EXE
4852 PING.EXE
1848 PING.EXE
4480 PING.EXE
1220 PING.EXE

flow	ioc
18	ip-api.com
20	ip-api.com
22	ip-api.com
24	ip-api.com
3	ip-api.com
11	api.ipify.org
16	ip-api.com

pid	process
512	PING.EXE
4460	PING.EXE
4552	PING.EXE
4412	PING.EXE
4852	PING.EXE
1848	PING.EXE
4480	PING.EXE
1220	PING.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3848	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Token: SeDebugPrivilege	2272	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Token: SeDebugPrivilege	3432	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Token: SeDebugPrivilege	2548	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Token: SeDebugPrivilege	4204	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Token: SeDebugPrivilege	3540	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Token: SeDebugPrivilege	4436	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Token: SeDebugPrivilege	3348	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
Token: SeDebugPrivilege	4536	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.execmd.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.execmd.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.execmd.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.execmd.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.execmd.exe89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 3848 wrote to memory of 4900	3848	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 3848 wrote to memory of 4900	3848	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 3848 wrote to memory of 4900	3848	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 4900 wrote to memory of 1220	4900	cmd.exe	chcp.com
PID 4900 wrote to memory of 1220	4900	cmd.exe	chcp.com
PID 4900 wrote to memory of 1220	4900	cmd.exe	chcp.com
PID 4900 wrote to memory of 4460	4900	cmd.exe	PING.EXE
PID 4900 wrote to memory of 4460	4900	cmd.exe	PING.EXE
PID 4900 wrote to memory of 4460	4900	cmd.exe	PING.EXE
PID 4900 wrote to memory of 2272	4900	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 4900 wrote to memory of 2272	4900	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 4900 wrote to memory of 2272	4900	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 2272 wrote to memory of 3128	2272	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 2272 wrote to memory of 3128	2272	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 2272 wrote to memory of 3128	2272	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 3128 wrote to memory of 2724	3128	cmd.exe	chcp.com
PID 3128 wrote to memory of 2724	3128	cmd.exe	chcp.com
PID 3128 wrote to memory of 2724	3128	cmd.exe	chcp.com
PID 3128 wrote to memory of 4552	3128	cmd.exe	PING.EXE
PID 3128 wrote to memory of 4552	3128	cmd.exe	PING.EXE
PID 3128 wrote to memory of 4552	3128	cmd.exe	PING.EXE
PID 3128 wrote to memory of 3432	3128	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 3128 wrote to memory of 3432	3128	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 3128 wrote to memory of 3432	3128	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 3432 wrote to memory of 1064	3432	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 3432 wrote to memory of 1064	3432	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 3432 wrote to memory of 1064	3432	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 1064 wrote to memory of 1544	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1544	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 1544	1064	cmd.exe	chcp.com
PID 1064 wrote to memory of 4412	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 4412	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 4412	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 2548	1064	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 1064 wrote to memory of 2548	1064	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 1064 wrote to memory of 2548	1064	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 2548 wrote to memory of 4924	2548	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 2548 wrote to memory of 4924	2548	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 2548 wrote to memory of 4924	2548	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 4924 wrote to memory of 952	4924	cmd.exe	chcp.com
PID 4924 wrote to memory of 952	4924	cmd.exe	chcp.com
PID 4924 wrote to memory of 952	4924	cmd.exe	chcp.com
PID 4924 wrote to memory of 4852	4924	cmd.exe	PING.EXE
PID 4924 wrote to memory of 4852	4924	cmd.exe	PING.EXE
PID 4924 wrote to memory of 4852	4924	cmd.exe	PING.EXE
PID 4924 wrote to memory of 4204	4924	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 4924 wrote to memory of 4204	4924	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 4924 wrote to memory of 4204	4924	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 4204 wrote to memory of 3400	4204	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 4204 wrote to memory of 3400	4204	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 4204 wrote to memory of 3400	4204	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 3400 wrote to memory of 2184	3400	cmd.exe	chcp.com
PID 3400 wrote to memory of 2184	3400	cmd.exe	chcp.com
PID 3400 wrote to memory of 2184	3400	cmd.exe	chcp.com
PID 3400 wrote to memory of 1848	3400	cmd.exe	PING.EXE
PID 3400 wrote to memory of 1848	3400	cmd.exe	PING.EXE
PID 3400 wrote to memory of 1848	3400	cmd.exe	PING.EXE
PID 3400 wrote to memory of 3540	3400	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 3400 wrote to memory of 3540	3400	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 3400 wrote to memory of 3540	3400	cmd.exe	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
PID 3540 wrote to memory of 4640	3540	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 3540 wrote to memory of 4640	3540	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 3540 wrote to memory of 4640	3540	89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe	cmd.exe
PID 4640 wrote to memory of 4300	4640	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEvaLWTigQob.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1220

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:4460

C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3LddvCUAsixY.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:2724

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:4552

C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MdVzIEnNl8fl.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:1544

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:4412

C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe"
7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asJCFfYfpjwa.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\chcp.com
chcp 65001
9⤵
PID:952

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:4852

C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe"
9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsMmHg4Yvw1F.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\chcp.com
chcp 65001
11⤵
PID:2184

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:1848

C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe"
11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OtFriUE0NHIW.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\chcp.com
chcp 65001
13⤵
PID:4300

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:4480

C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe"
13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wJKVNztpJDqg.bat" "
14⤵
PID:3900

C:\Windows\SysWOW64\chcp.com
chcp 65001
15⤵
PID:3568

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:1220

C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe"
15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouweEvBRPCNM.bat" "
16⤵
PID:3236

C:\Windows\SysWOW64\chcp.com
chcp 65001
17⤵
PID:2724

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
17⤵
- Runs ping.exe
PID:512

C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\89a07c9afff73c280ae14caed30f2eb2768263c0020b943d352e5424bd993d93_NeikiAnalytics.exe.log
Filesize
1KB

MD5
8013ca45a4b68a281377f2c7b517ac8a

SHA1
aff79b7c8f408e5ae6f00cf9d83e2fd95d9affc3

SHA256
234381ea204c431d0936c4141a38381629938e4f5d40dd0ef01de6a282abbae7

SHA512
428305df713c12d2165303a9b0433c83a0e3f3088a9551deb6403e9351814c38c2377e7c22ede57bcd23ca764e02fce431c52aba6bf4b998b89a518129fda2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3LddvCUAsixY.bat
Filesize
276B

MD5
09b7f0d0ae221ea3b8f0d81961f15cf2

SHA1
1a2b3d31a7d32923cddee26146d48d63b1bf9f8d

SHA256
313a9cce54dc763d40cb79ec2f32544b7a9c8ce6f84fc4d1f40f8bf64b6651d7

SHA512
e1296e564cfe596b319ec1fdc39a977a8b447d71b5d76690195044cbbc65c8b0b34d32cc07290f7463f3ec755594a42e21f6da0ba559b65d6d39c9c1c9441bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MdVzIEnNl8fl.bat
Filesize
276B

MD5
29c2f2d286e05528e582e530e0ce0326

SHA1
a016064f4ac1a73b3d1ff245f0f7c2138ff61611

SHA256
789be4ba64a80a747dfca64af99af9fbc2b6b11100cd561b5727354eadb6b724

SHA512
187483dcae8181d550c2ec73ea8f2584f600426cf0997d266abeacdfa169b2c8aa8d6f38aab7123ffe03b00871981a0eadca1353def30ceaaae18cf908344cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OtFriUE0NHIW.bat
Filesize
276B

MD5
47d57d7c425eb5bc577439b26cb87abe

SHA1
f70f31bdb0c101dfcc52be5b7e53d7743ceaf747

SHA256
d1ad7e20a7a4460634216099935335328577c864ea33471fda99e064e1d34257

SHA512
c8bad88ed2eba49fa5f268400003464e3b9f9a7fa3dc86dcd89dd87d8d39632a8da190a141b7268ac6cef324971e3ed8213535f1714b4916d792ad4f0b7c0dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEvaLWTigQob.bat
Filesize
276B

MD5
2a8dcd6085e824cd71109c5b0cb864b9

SHA1
6a775dc0afff302e8281b54096ecde7b829829f8

SHA256
ced70ec745f4ab5af35c4e4531098f9b31a617777b050a810ec18ec03ea20d11

SHA512
f4ccfa667e0789e352e46d035e35e3e6b2357870da3814f6148dc4f280d1a29390cb297f658cfcc8d68490e067c27d1970cb5ebe61052302f224413498f73347

Download Submit
C:\Users\Admin\AppData\Local\Temp\asJCFfYfpjwa.bat
Filesize
276B

MD5
33b35c0c586e56622e89d64d8a5c86a4

SHA1
5e468b1d097e3e2e5fa5b460ba299b357fe5f173

SHA256
3d5bed6234defc335342b78b47774545b530a72cae17f6b98a8c87aace55dc75

SHA512
846856321c04df2c08c2f5862825890e2c0bf5adb4fecb1adfff7798f3061576f0529adf5126125c85c2797e6c6b8c6592aedcaec1120727bebcd84e31fc39f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsMmHg4Yvw1F.bat
Filesize
276B

MD5
d95bd802c6f2198791e24c324fdaa073

SHA1
05720b63797b72b55e4193523a91a1f35753a15f

SHA256
f2b9248e11a75e564cd149bae4f1a3ed94e7526f7bb5dfdc4c3522dee21e3153

SHA512
2d59de21f1712889ec2f364c7671e037674252411fd98476dae577a4c57fea76e177bce1a28a655c629e7cb3075ad67da89d628866b3d0b0fe198b0f6d591b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouweEvBRPCNM.bat
Filesize
276B

MD5
a4c4547fc073d3a18f0c49f3bb69702b

SHA1
1147a0727ec8187ce8674c96a943bf669bc60303

SHA256
18e5184a4959680400f3e16105f28f90499ab1a081586bd2458ce9eb4eec84a3

SHA512
26d545d4b273c0914af5d13728ab4ef98c9eaa32a0869e4e228178c15932771ffe176ad74a8927e150893b5216bd99a42122a9c4dc230ff2473951ae74da80cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wJKVNztpJDqg.bat
Filesize
276B

MD5
6b993a30c271c9e2cdd8b1b76af43581

SHA1
15e999c3e776c3b44b95d0a51138bd2d10ab88ae

SHA256
e4ef94bf9600df13ef96eb1c03a845c4aa0e98233b63171dc05437f92bd96c14

SHA512
c21a0edf3a9a31b8287da33691d49e5a06f73fe49b94812ab7687b0ab6a2074b4a6b66356e4af268a997003cad1ed65544503433621a339768e79832b061b6cd

Download Submit
memory/2272-17-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/2272-16-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/2272-21-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/3848-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

Filesize
4KB

Download
memory/3848-4-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/3848-5-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/3848-3-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/3848-2-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/3848-13-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/3848-8-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/3848-1-0x0000000000AE0000-0x0000000000B3C000-memory.dmp

Filesize
368KB

Download
memory/3848-7-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

Filesize
4KB

Download
memory/3848-6-0x0000000006250000-0x0000000006262000-memory.dmp

Filesize
72KB

Download