Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
17/05/2024, 01:52
General
-
Target
807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
807fa82223d9efb45b19a7d551a3d5f0
-
SHA1
dbdae440d9c948761177b28ed02b1a33195b0066
-
SHA256
a27c7cc1c1de613d6c43a5951d356d37ba516ed8f80377f12684ed5116a957ba
-
SHA512
771ac4b465fe3294e8fcee221a592c76c79e5b9669539df641ed89c9aaacc70ee8750bfdd17bf0c10b8d356112991bfe688e2c7813b6b14cb924c1f6d024e383
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXil:IeklMMYJhqezw/pXzH9il
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\807fa82223d9efb45b19a7d551a3d5f0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 01:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 01:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 01:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5ae6aca78e092164b6db1c9a84bb6c006
SHA1e39f7ca192990707aeda65a9ac0ff7e1152a3b33
SHA256605ce4abbdb5f5d14e4883c090e6e794a040925cbb922686d063492b1a1b3722
SHA5124c37499e06cfd52d817dcc708eda42a7b227f0d3a5c07e2aea22b1fbe15fd7ab2ed8bf4fe3398c83da3b2ab6d7627abedfe08f2f0c4a05b6c6ddfeed54946730
-
Filesize
66KB
MD589291281ca1b54e229e84c60b2add7af
SHA1c02e301691997f5c9e23f49de722756ea1192bae
SHA256961c59b0f5b29355964ed3fdcbc967ecbd588e3bf8b314a9215248063e9d3e5d
SHA5126526583c0e34ce9f26ee3247902c29e573f60a6acad9394422dfb951a2c0529e119a9af6dc6c3f1ec1482a5042fc24fad2743e1d5fc687da6f164bbb8a47c978
-
Filesize
66KB
MD51dd9744a066eea658fb3672c1fe42b12
SHA1406440bc76cd37dffda0c15d06a7ea7e0cba5514
SHA256d8a3273d532edb8350e6d07c4beda99109d8ca4bb47136b826308bdc47d157e3
SHA51263d513cc4408f90fe6190fe5ca34e135fc928d3223647679df0cb50cbd5e20a49abfa85deae060ac4bc78a20dc0fac5429d4f187c9a72f0c5757b117b1adaab2
-
Filesize
66KB
MD5aa4a3c019af4df1baf84c0747727720c
SHA1f04844af77f35fb627bacf41f7f3f866905ed6f3
SHA2568f06fe093ca61709b502f2763d32d10ee12b731a1ca4b1bd68e9a7b2006ea9a8
SHA512cb14597ea81817d3f67bdaff3f64904384941dca8514f1c659c7a85d519a79692526e912062ccbd779947d805f208be8af1df681b6743bce5da82c0671ce7680
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
16KB