Overview

overview

10

Static

static

3

e48282011b...KI.exe

windows7-x64

10

e48282011b...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e48282011b4d855bcd15b6a938726270_NEIKI.exe

  • Size

    66KB

  • MD5

    e48282011b4d855bcd15b6a938726270

  • SHA1

    1772c8bfee0be0a4b8b86df0a215ff0d429ec2af

  • SHA256

    d2febd149b9558dacf694e6c1a8e3d06bf05bd4d848a7a13083a429cd2b78543

  • SHA512

    5ba1331939911ea157667cf5b5a5815eb6d6a1ee175fc50c095785c0b6f9008a2929488554c865406f496e2bd11330bb38969cc7ff70c33d312ab268d3f91436

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXik:IeklMMYJhqezw/pXzH9ik

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e48282011b4d855bcd15b6a938726270_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\e48282011b4d855bcd15b6a938726270_NEIKI.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1596
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5020
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3720
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1648
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4348
          • C:\Windows\SysWOW64\at.exe
            at 05:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4916
            • C:\Windows\SysWOW64\at.exe
              at 05:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:512
              • C:\Windows\SysWOW64\at.exe
                at 05:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4480

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          44a2375bbbb5bfc0fe6c36a0e58ec8d2

          SHA1

          3a481d85886bc66ce88bb3d4481796c75e606848

          SHA256

          5d75298d2bba4fab94fcb938fb4ccc5883638e46c9a8faa92fcb6511eacb2199

          SHA512

          e98254895a7e062b39857d1bfd3e5eed499b7e59b1b31b155626f39350796080263bdf2220d514e9e6ff58784e522d0ad88c9ef050fdad6eae559ec7bebba34c

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          3272249970ae7efbd50691dee89e84f1

          SHA1

          3a2eba2c68ad7829e2f314d6d9f0ca98f753ff75

          SHA256

          662dfa7c9337381e9c3cf564c120a64393fcfc8faf0ed39b8c9a9c858ffcab66

          SHA512

          8de3c91412f919c5f394285cdd94ef869a2e1a3c1f1a2d3e78e9a1d00bb7c66dcbeba79eae0c9ce429d2b19187e012642b25f1378b71daa7659ef69e977e7526

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          8a90b73170c36a60cb30c21e69326071

          SHA1

          83e751e947e75e8c38933b3d65ec9204b3ca4080

          SHA256

          e7619a525b361b50f3ec113014d4ecb14962cc0cdc0e0092f33d5d476bf2d760

          SHA512

          47d7cfc164d7e2f02f0145181eb3d607804ca6a2657e58d67de71210a522fc33ffbe6007c11a1a0a8ca26455df928601ed71cb05260f3cbb61672da1d1ef3b48

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          3caa0825ef2ef30e905717d9d7aac992

          SHA1

          0c880c85c92eecfaa0f0766c4641ae84f69f5d65

          SHA256

          aca4608c7f9672131c8174bc5e492775b5bd2a564451e24334a3852bbb84f3c0

          SHA512

          fa38cda23fe103721d1d86aa8cd845c5ea5b05ca1529f448185b7c49122b02f571df6841fb66bf334f8e5d75b5c0ac28d64e5c1f2dd9235d7b59ba9638cac856

          Download Submit

        • memory/1596-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1596-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1596-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1596-57-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1596-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1596-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1596-2-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1648-37-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1648-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1648-38-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1648-43-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3720-26-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3720-29-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3720-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4348-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4348-45-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5020-19-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5020-15-0x0000000075600000-0x000000007575D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5020-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5020-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5020-14-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5020-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download