Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe
-
Size
65KB
-
MD5
a33ace223221f156ad2565feb80d1d80
-
SHA1
e5ff85d983065d07a0241d6f20587dee9bb65ac1
-
SHA256
9abeaa49787d3100f775be46625ac686cf690f06027a52f1ec9951e00705ac7f
-
SHA512
f392f4787c995fcc8f231b0e90869c4792b28b35c99e95b5d468f806826749eec8e8580a3c3a215500b62b663920a0af91f53532c02114e029661f1bca0c9be1
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouk:7WNqkOJWmo1HpM0MkTUmuk
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral2/memory/3224-36-0x0000000074C80000-0x0000000074DDD000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3160 explorer.exe 404 spoolsv.exe 3224 svchost.exe 224 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3304 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 3304 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe 3224 svchost.exe 3224 svchost.exe 3160 explorer.exe 3160 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3160 explorer.exe 3224 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3304 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 3304 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 3160 explorer.exe 3160 explorer.exe 404 spoolsv.exe 404 spoolsv.exe 3224 svchost.exe 3224 svchost.exe 224 spoolsv.exe 224 spoolsv.exe 3160 explorer.exe 3160 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3304 wrote to memory of 3160 3304 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 92 PID 3304 wrote to memory of 3160 3304 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 92 PID 3304 wrote to memory of 3160 3304 a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe 92 PID 3160 wrote to memory of 404 3160 explorer.exe 93 PID 3160 wrote to memory of 404 3160 explorer.exe 93 PID 3160 wrote to memory of 404 3160 explorer.exe 93 PID 404 wrote to memory of 3224 404 spoolsv.exe 94 PID 404 wrote to memory of 3224 404 spoolsv.exe 94 PID 404 wrote to memory of 3224 404 spoolsv.exe 94 PID 3224 wrote to memory of 224 3224 svchost.exe 95 PID 3224 wrote to memory of 224 3224 svchost.exe 95 PID 3224 wrote to memory of 224 3224 svchost.exe 95 PID 3224 wrote to memory of 2904 3224 svchost.exe 96 PID 3224 wrote to memory of 2904 3224 svchost.exe 96 PID 3224 wrote to memory of 2904 3224 svchost.exe 96 PID 3224 wrote to memory of 3616 3224 svchost.exe 107 PID 3224 wrote to memory of 3616 3224 svchost.exe 107 PID 3224 wrote to memory of 3616 3224 svchost.exe 107 PID 3224 wrote to memory of 1540 3224 svchost.exe 109 PID 3224 wrote to memory of 1540 3224 svchost.exe 109 PID 3224 wrote to memory of 1540 3224 svchost.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:224
-
-
C:\Windows\SysWOW64\at.exeat 06:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2904
-
-
C:\Windows\SysWOW64\at.exeat 06:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3616
-
-
C:\Windows\SysWOW64\at.exeat 06:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1540
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵PID:4352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5834ea6c818813aa4e2906225f0bc0759
SHA19d518a9cfc7a48bf2f963172c9ba5c474056d831
SHA2569bbf0b2fe9062c2e87d32d0b6656d343bee762f7c647466fac22508f2f2b913d
SHA51207803daa326387abf744c923c3305fdcb10e3fbed3dfb8202eaa6b56fced4c25042ef84a289dc389a2ab60c9bea4ba14019b7d7f0236d911b98fc259035b5ee0
-
Filesize
65KB
MD5d88dedabef80f93b72733aebb33257a5
SHA1cbb5821a110b0d4c2bf2d235abf5587416ebcf4e
SHA25640a436179a20182d86bf6b838c32ff8103cb7fa836efc4c94b756a5a96ec0e93
SHA512ab9a1adc8ef43d3d1b6b3a1a5305abfc1e2d47f613be88d37c1789ddcbdece0bd84802cdb07f1a7731b91b3f2886023ff61d551bd9de244afd7cb7e7dde7a8d1
-
Filesize
65KB
MD5f2dbcab1299e3370a634e6c117506436
SHA11cc7645a7b555fc06c315e62bc68e6ae10adda2b
SHA25697317a3912540b08a514bfcffee32298baa1353104e2639895a5ab265503edc8
SHA5127bc51d667dc0c41bdd1e18761a923b1520767d34db25c1d0d10d23ec3767640512c046ddd190f8b5eb54028fcd0221a42711b460ba91657bc0ff4314ad54e49b
-
Filesize
65KB
MD5ce9591e76e0bbd7402225ff948e32163
SHA1871f7566dfe2829ebc5ba9416d307226c671fa71
SHA2566ccaaa80e11f53a4476fac912e9ef41e90e25eb7468689277da4994feb3e9864
SHA5122a8fee7926dddf78c00c71d7949f8e6178e4ff1fe1ea26ef2baa873e954b5d8371d6d7676fbc4b500fb22982134fc33b3c61ef46f6fb16e10f5fb380078ce5c4