Overview

overview

10

Static

static

3

751dd87e2d...cs.exe

windows7-x64

10

751dd87e2d...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 03:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    751dd87e2d9386c084b1c5a37606f8e0

  • SHA1

    822c1b5e3bf75c4aaf3dc005ba1a39fb5432ed09

  • SHA256

    62d7ffee1160f332be5a1031c236f0088f02a2915eb4c22dd3475a81f93ed219

  • SHA512

    970c02f1ada79b3ea3e4ae4adbc5fca6a23f43e10b5faa4b2625c45927d9850a0228916dc549fef31498b2e1cb5462d0aefa97b5a870322fc01c22040829503f

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi1:IeklMMYJhqezw/pXzH9i1

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\751dd87e2d9386c084b1c5a37606f8e0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4364
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2592
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4716
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3040
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3656
          • C:\Windows\SysWOW64\at.exe
            at 03:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1120
            • C:\Windows\SysWOW64\at.exe
              at 03:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2112
              • C:\Windows\SysWOW64\at.exe
                at 03:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2188

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          030b812f0e3948914a94e7ba6801a2fd

          SHA1

          a79112c1067c25fdda8805c06a168bda68f9125e

          SHA256

          43010916858812382f10eb25586b3ebe116523240624a9095127417e906d5640

          SHA512

          a198476c802f4ef8e0c87ba06e20dfa36a1d2bd3632b6c867b50d915e1e35b81abb95d8bbbf2be38fdfc966b97639b196c30370368cff34ab9e04b0ea30d6b87

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          ed2eeee8a5f8042b0bde62fd90df90a4

          SHA1

          31829445d9a5ced0ef633b859574d2a39b2b685d

          SHA256

          7b7547eaab04807ef6aceb3b1477d85ecade7a6305a57e92bb47f15b672d39fd

          SHA512

          ce980376c68e5f47da4d0025f7bb4879ca6f2dfc2b4abe1bf958f0d5a1eaaa03171224f504d0caa2bf039375b32f0eb85c13fd42a05f20db7c3089011a096604

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          9569df43bb5fd82f05ed43ce7a177faa

          SHA1

          8a64f324dd1a3e29e54ad1ff56aaaa50d4611ea4

          SHA256

          a6317a51ddb1fe8e47d9d8350095a62481f750f9fffa2132a3dc67f4f233b583

          SHA512

          03e4fab917b272a8ee725606ab337a6641afb1ecf8cd3aebd05fdaddc1f5ad132b3a35bc24d785b26b6d13cc7a3aeb785f9c59120d73862bb2b480e4d62959d8

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          b885f27779d5b891f7f7f0eac5abb87e

          SHA1

          18e0e54faf3eb7d2705b1025576ab6a1df5a3e2c

          SHA256

          575fd4444d974e3c67c9d99da1338b9599b94af411bb5f3463526bee26c26e7a

          SHA512

          20a6ee31c27aa1b7f8e789f3ca2e83a514aaa909eba3240c91812b8225fa2c555b17c470ca94ce859d7550b4886915b1b5318c68afbbe7f6386bccad1cebee3a

          Download Submit

        • memory/2592-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2592-15-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2592-13-0x0000000075350000-0x00000000754AD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2592-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2592-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3040-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3040-40-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3040-36-0x0000000075350000-0x00000000754AD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3656-43-0x0000000075350000-0x00000000754AD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3656-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4364-56-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4364-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4364-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4364-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4364-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4364-2-0x0000000075350000-0x00000000754AD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4364-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4716-51-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4716-29-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4716-25-0x0000000075350000-0x00000000754AD000-memory.dmp

          Filesize

          1.4MB

          Download