Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe
-
Size
65KB
-
MD5
a33ace223221f156ad2565feb80d1d80
-
SHA1
e5ff85d983065d07a0241d6f20587dee9bb65ac1
-
SHA256
9abeaa49787d3100f775be46625ac686cf690f06027a52f1ec9951e00705ac7f
-
SHA512
f392f4787c995fcc8f231b0e90869c4792b28b35c99e95b5d468f806826749eec8e8580a3c3a215500b62b663920a0af91f53532c02114e029661f1bca0c9be1
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouk:7WNqkOJWmo1HpM0MkTUmuk
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral1/memory/2672-56-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2424 explorer.exe 2592 spoolsv.exe 2672 svchost.exe 2496 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2104 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 2104 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 2424 explorer.exe 2424 explorer.exe 2592 spoolsv.exe 2592 spoolsv.exe 2672 svchost.exe 2672 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2104 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2672 svchost.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe 2424 explorer.exe 2672 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2424 explorer.exe 2672 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2104 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 2104 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 2424 explorer.exe 2424 explorer.exe 2592 spoolsv.exe 2592 spoolsv.exe 2672 svchost.exe 2672 svchost.exe 2496 spoolsv.exe 2496 spoolsv.exe 2424 explorer.exe 2424 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2424 2104 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 28 PID 2104 wrote to memory of 2424 2104 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 28 PID 2104 wrote to memory of 2424 2104 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 28 PID 2104 wrote to memory of 2424 2104 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 28 PID 2424 wrote to memory of 2592 2424 explorer.exe 29 PID 2424 wrote to memory of 2592 2424 explorer.exe 29 PID 2424 wrote to memory of 2592 2424 explorer.exe 29 PID 2424 wrote to memory of 2592 2424 explorer.exe 29 PID 2592 wrote to memory of 2672 2592 spoolsv.exe 30 PID 2592 wrote to memory of 2672 2592 spoolsv.exe 30 PID 2592 wrote to memory of 2672 2592 spoolsv.exe 30 PID 2592 wrote to memory of 2672 2592 spoolsv.exe 30 PID 2672 wrote to memory of 2496 2672 svchost.exe 31 PID 2672 wrote to memory of 2496 2672 svchost.exe 31 PID 2672 wrote to memory of 2496 2672 svchost.exe 31 PID 2672 wrote to memory of 2496 2672 svchost.exe 31 PID 2672 wrote to memory of 2828 2672 svchost.exe 32 PID 2672 wrote to memory of 2828 2672 svchost.exe 32 PID 2672 wrote to memory of 2828 2672 svchost.exe 32 PID 2672 wrote to memory of 2828 2672 svchost.exe 32 PID 2672 wrote to memory of 1436 2672 svchost.exe 36 PID 2672 wrote to memory of 1436 2672 svchost.exe 36 PID 2672 wrote to memory of 1436 2672 svchost.exe 36 PID 2672 wrote to memory of 1436 2672 svchost.exe 36 PID 2672 wrote to memory of 1776 2672 svchost.exe 38 PID 2672 wrote to memory of 1776 2672 svchost.exe 38 PID 2672 wrote to memory of 1776 2672 svchost.exe 38 PID 2672 wrote to memory of 1776 2672 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\SysWOW64\at.exeat 06:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2828
-
-
C:\Windows\SysWOW64\at.exeat 06:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1436
-
-
C:\Windows\SysWOW64\at.exeat 06:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1776
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD551fa753a71e94a9272ab8abd28a7657b
SHA14998cf7fe2a215f85b9a75d5c32ecf1983757b9f
SHA256b9c4e1f45e42934c2a24374e3292934783b8fe974c85e5bf13cc01225ce45fb6
SHA512667809453f9d77fa8b717a9a9d7fa19ccddfead546525e2a3b3ceb63d6d7d6391c1a1062e441af7afb5822b83c623b1307c5a1ab181ddb93b1fb34ccce75db96
-
Filesize
65KB
MD5e128346b219ecc9d6bb633b5097eb32e
SHA180e89a26f38c4bc6b3469e3c5ea80d3780435540
SHA2561915cd69993fb2ecef91eaea11aae73ade95ac1aa674505a43800052bd9efb04
SHA512b50132db1923e446cbe110b03442c73ad2b75a3012cc06a4788211b4443fcbe556b05204b83e9db8885eed14ff630f5bc5191bc0e4b7257ec512ff48c7c9e909
-
Filesize
65KB
MD565895be4905dcd58a6ac1dafad47ac7b
SHA124a7fff91afb8ee5d9fe1017e67e6e698ea7b5d1
SHA256ceccb348eb3b8d81fc7b5b801bd773e26e049e2ceac71fcfe016a5c696300cde
SHA512818c93ffa362453fc7bd9f3ca552c9e2431fdd49bc03df3ab1ae9409307594e132281e21a9d385db85bbfefd6b521c8f517e83bd1462e52cf96a4757c99a456c
-
Filesize
65KB
MD52bdf460df895992bd5c245623fb11bde
SHA15f407c3fb0f3873aa05fcf8f8e09d7d2864dca25
SHA2564a1ae360f521c5ab1364bb4acbe124ce3fac4a277438ac54f79a11d9e6863fcd
SHA512e6783c5ff31bbe3cd627841aac20b8eb9f66e63c22bd510e784ac79ac0690836b297e09431382216cb5f3fa403dcbc08300f3d81315c59cbc871ef40d6c728f3