Overview

overview

10

Static

static

3

751dd87e2d...cs.exe

windows7-x64

10

751dd87e2d...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 03:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    751dd87e2d9386c084b1c5a37606f8e0

  • SHA1

    822c1b5e3bf75c4aaf3dc005ba1a39fb5432ed09

  • SHA256

    62d7ffee1160f332be5a1031c236f0088f02a2915eb4c22dd3475a81f93ed219

  • SHA512

    970c02f1ada79b3ea3e4ae4adbc5fca6a23f43e10b5faa4b2625c45927d9850a0228916dc549fef31498b2e1cb5462d0aefa97b5a870322fc01c22040829503f

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi1:IeklMMYJhqezw/pXzH9i1

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2696
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1536
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2648
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2472
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2624
          • C:\Windows\SysWOW64\at.exe
            at 03:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2992
            • C:\Windows\SysWOW64\at.exe
              at 03:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2708
              • C:\Windows\SysWOW64\at.exe
                at 03:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2232

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          1c731338314fc307594395606d76fefa

          SHA1

          85f48a5d7485b65efd1b968445358b326a498c27

          SHA256

          193f0fe0e6da76cf52751829696f4e33e658246b65d4d1bdaed456e30915ca85

          SHA512

          6e1e91dafb2155318d53981cac56175b8ff98912da7663904cf5e8dd36e1a8d4e018edc257c36f413d48f3eb2bc538e243aab72885d2548d3e57f04cf3cbbea5

          Download Submit

        • C:\Windows\system\explorer.exe
          Filesize

          66KB

          MD5

          d44528f11d9798062b0d949e28eb7769

          SHA1

          6047a4cbd2639a9978f696ac7f4c98d9b17d4178

          SHA256

          970d1719d734cb68b6e7af5941e52e13a86f77d74244f005d9c0a50538540fd1

          SHA512

          50744d8b5ea83f636014b64f350df4a0a72eea9c92904281ef8f030d9308ec6238f646462367a173640f9bba0c7f05d7b0191bd20c732f25e8b2f7266e7ffc9c

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          66KB

          MD5

          18015c06639024e80e0bb51f82f92ad6

          SHA1

          83a98a4da5cde9dc3e7e362128849411fd3bfed4

          SHA256

          77ca938cfe7ece8a6018cdecb4f56dfb91478f9b9c64f62e47af377a2ab8afbb

          SHA512

          d696768d4dadb18f1950bf670cc5b5e84e99d38ac063586509213ff682cd357133c45cbc24ea4d58c618e09656fef35df0c21279d240a59f6d62278bad445ccd

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          66KB

          MD5

          ecb79ad651b74f1b950a75794dcfe5f8

          SHA1

          24cab541386ce2d86d6d09f546a8061be3330bd1

          SHA256

          67d15c7e7571d55b88e60549602fd2ffc008d70be5c4ffb946ad86326c4ebf4d

          SHA512

          d73d59034dab6693076fbd17607bf83a72bbcc0c89361bb860f0c8c8bced78bc8ef2e3ca8e1698028fb4e4c2f358173ac777cf64d8205538916b2ca7cd923291

          Download Submit

        • memory/1536-37-0x00000000026C0000-0x00000000026F1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1536-66-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1536-93-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1536-19-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1536-25-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1536-21-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1536-83-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1536-20-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2472-58-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2472-84-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2472-62-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2624-69-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2624-75-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2648-54-0x0000000002850000-0x0000000002881000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2648-76-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2648-43-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2648-39-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2648-38-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2696-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2696-80-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2696-57-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2696-81-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2696-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2696-55-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2696-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2696-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2696-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2696-16-0x0000000002690000-0x00000000026C1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2696-17-0x0000000002690000-0x00000000026C1000-memory.dmp

          Filesize

          196KB

          Download