a27c7cc1c1de613d6c43a5951d356d37ba516ed8f80377f12684ed5116a957ba

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe
Size

66KB
MD5

807fa82223d9efb45b19a7d551a3d5f0
SHA1

dbdae440d9c948761177b28ed02b1a33195b0066
SHA256

a27c7cc1c1de613d6c43a5951d356d37ba516ed8f80377f12684ed5116a957ba
SHA512

771ac4b465fe3294e8fcee221a592c76c79e5b9669539df641ed89c9aaacc70ee8750bfdd17bf0c10b8d356112991bfe688e2c7813b6b14cb924c1f6d024e383
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXil:IeklMMYJhqezw/pXzH9il

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral1/memory/2752-55-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2176	explorer.exe
2672	spoolsv.exe
2752	svchost.exe
2664	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2360	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe
2360	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe
2176	explorer.exe
2176	explorer.exe
2672	spoolsv.exe
2672	spoolsv.exe
2752	svchost.exe
2752	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe
2176	explorer.exe
2176	explorer.exe
2176	explorer.exe
2752	svchost.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe
2176	explorer.exe
2752	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2176	explorer.exe
2752	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2360	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe
2360	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe
2176	explorer.exe
2176	explorer.exe
2672	spoolsv.exe
2672	spoolsv.exe
2752	svchost.exe
2752	svchost.exe
2664	spoolsv.exe
2664	spoolsv.exe
2176	explorer.exe
2176	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2176	2360	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2176	2360	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2176	2360	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2176	2360	807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe	28
PID 2176 wrote to memory of 2672	2176	explorer.exe	29
PID 2176 wrote to memory of 2672	2176	explorer.exe	29
PID 2176 wrote to memory of 2672	2176	explorer.exe	29
PID 2176 wrote to memory of 2672	2176	explorer.exe	29
PID 2672 wrote to memory of 2752	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2752	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2752	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2752	2672	spoolsv.exe	30
PID 2752 wrote to memory of 2664	2752	svchost.exe	31
PID 2752 wrote to memory of 2664	2752	svchost.exe	31
PID 2752 wrote to memory of 2664	2752	svchost.exe	31
PID 2752 wrote to memory of 2664	2752	svchost.exe	31
PID 2752 wrote to memory of 1960	2752	svchost.exe	32
PID 2752 wrote to memory of 1960	2752	svchost.exe	32
PID 2752 wrote to memory of 1960	2752	svchost.exe	32
PID 2752 wrote to memory of 1960	2752	svchost.exe	32
PID 2752 wrote to memory of 1312	2752	svchost.exe	36
PID 2752 wrote to memory of 1312	2752	svchost.exe	36
PID 2752 wrote to memory of 1312	2752	svchost.exe	36
PID 2752 wrote to memory of 1312	2752	svchost.exe	36
PID 2752 wrote to memory of 2256	2752	svchost.exe	38
PID 2752 wrote to memory of 2256	2752	svchost.exe	38
PID 2752 wrote to memory of 2256	2752	svchost.exe	38
PID 2752 wrote to memory of 2256	2752	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2176
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1312
    - - C:\Windows\SysWOW64\at.exe
        
        at 01:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
66KB

MD5
68c5d985e8483680649e62fe7fa66e25

SHA1
1183ee29034ab276d7fb3b38fa48fe9ae95dbd8e

SHA256
fc3b60554411f3d5db62e97a9329e53e590eb2af1c2044a691f32b4637be8271

SHA512
7a0f53580265ac560b8338050c8d2dad9b02f95a802282cdb2b11253dd074a4916467159b586b5f97796a7bafddf83368b87e12f0b54563f82203bae1d3f41fc

Download Submit
C:\Windows\system\explorer.exe

Filesize
66KB

MD5
6b7bb9a3fb8ffebc760e22ce2d633c75

SHA1
8b0b8a28f403a5ca1045baa68fc4cd946615268d

SHA256
daf8cc5f91eb512aa6b893e1c3de3cd76da3d84ce4008036d6678d81bd6fa0b0

SHA512
ca7b8106130aae65d8e836bc720d3a61c35a10ab6d91037ecaba14b7fb25b074cac7e83e63585cb392f9a8eb58da41a7eb5492bf7c7f099dbe5c859de5f37052

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
66KB

MD5
0f0b27bfa21da2ffd4091daa0d022ebd

SHA1
5f3ee6294fb2e7bd510979b65ddd6f6d5d9c953b

SHA256
88ba1a89a3dbbfdd5674f79f28eda8d152e15b7e4a86883eb3b4ad3eb351348a

SHA512
3b01b8a68288f20c1d38030bf40b30adfd020c3f50fd528f0e8de99bf19486c50cfbb8c6477d4c3e4a3b10dbe3eb815dc22284e16b3f747102dc7820970f5500

Download Submit
\Windows\system\svchost.exe

Filesize
66KB

MD5
17cde146df0af0d7a76548f970ae05cd

SHA1
587c07a0e0c458451e46a267e885cd13ab4769d5

SHA256
0289d5d15ba11755bfd1557f2a95f695161ccdcccadc60e185de2ac03fb12ce5

SHA512
2f7fb00e106e53ae1d08d0981f65b32da8a78744f19d7cfbfe3b1170692c0d56dc578a6c5e323d90530d3583748a260832d97984fb981971a76f8c88aeb00a83

Download Submit
memory/2176-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2176-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2176-95-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2176-35-0x0000000001D90000-0x0000000001DC1000-memory.dmp

Filesize
196KB

Download
memory/2176-19-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2360-17-0x00000000032B0000-0x00000000032E1000-memory.dmp

Filesize
196KB

Download
memory/2360-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2360-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2360-18-0x00000000032B0000-0x00000000032E1000-memory.dmp

Filesize
196KB

Download
memory/2360-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2360-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2360-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2360-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2360-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2360-79-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2664-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2664-66-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2664-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2672-49-0x0000000002AF0000-0x0000000002B21000-memory.dmp

Filesize
196KB

Download
memory/2672-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2672-36-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2672-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2672-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2672-43-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2752-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2752-55-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2752-65-0x0000000002640000-0x0000000002671000-memory.dmp

Filesize
196KB

Download
memory/2752-67-0x0000000002640000-0x0000000002671000-memory.dmp

Filesize
196KB

Download
memory/2752-86-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download