5900bddf1236006e0b308cae75c98837d20ea59327b941bf5bc8eb5ab8980a9a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe
Size

66KB
MD5

2705fe25790d0195ba7b39e41d128f20
SHA1

2221ad41e4d16fd01470ed9e49e62423e6e244e1
SHA256

5900bddf1236006e0b308cae75c98837d20ea59327b941bf5bc8eb5ab8980a9a
SHA512

0b652571be184d5e9da2509de2175a3e0cfe767fa2dac8b8d311ce05d3d10c0cd75dbe70c535af56c8a4ce7096a2a2d577dcb19f0d46d56e0dc29c3fff8846b8
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiN:IeklMMYJhqezw/pXzH9iN

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral1/memory/2608-56-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1728	explorer.exe
2716	spoolsv.exe
2608	svchost.exe
2436	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2220	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe
2220	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe
1728	explorer.exe
1728	explorer.exe
2716	spoolsv.exe
2716	spoolsv.exe
2608	svchost.exe
2608	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
2608	svchost.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe
2608	svchost.exe
1728	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1728	explorer.exe
2608	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2220	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe
2220	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe
1728	explorer.exe
1728	explorer.exe
2716	spoolsv.exe
2716	spoolsv.exe
2608	svchost.exe
2608	svchost.exe
2436	spoolsv.exe
2436	spoolsv.exe
1728	explorer.exe
1728	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1728	2220	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 1728	2220	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 1728	2220	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 1728	2220	2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2716	1728	explorer.exe	29
PID 1728 wrote to memory of 2716	1728	explorer.exe	29
PID 1728 wrote to memory of 2716	1728	explorer.exe	29
PID 1728 wrote to memory of 2716	1728	explorer.exe	29
PID 2716 wrote to memory of 2608	2716	spoolsv.exe	30
PID 2716 wrote to memory of 2608	2716	spoolsv.exe	30
PID 2716 wrote to memory of 2608	2716	spoolsv.exe	30
PID 2716 wrote to memory of 2608	2716	spoolsv.exe	30
PID 2608 wrote to memory of 2436	2608	svchost.exe	31
PID 2608 wrote to memory of 2436	2608	svchost.exe	31
PID 2608 wrote to memory of 2436	2608	svchost.exe	31
PID 2608 wrote to memory of 2436	2608	svchost.exe	31
PID 2608 wrote to memory of 1624	2608	svchost.exe	32
PID 2608 wrote to memory of 1624	2608	svchost.exe	32
PID 2608 wrote to memory of 1624	2608	svchost.exe	32
PID 2608 wrote to memory of 1624	2608	svchost.exe	32
PID 2608 wrote to memory of 1616	2608	svchost.exe	36
PID 2608 wrote to memory of 1616	2608	svchost.exe	36
PID 2608 wrote to memory of 1616	2608	svchost.exe	36
PID 2608 wrote to memory of 1616	2608	svchost.exe	36
PID 2608 wrote to memory of 1804	2608	svchost.exe	38
PID 2608 wrote to memory of 1804	2608	svchost.exe	38
PID 2608 wrote to memory of 1804	2608	svchost.exe	38
PID 2608 wrote to memory of 1804	2608	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2705fe25790d0195ba7b39e41d128f20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2436
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1624
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\at.exe
        
        at 20:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
66KB

MD5
e4880f6b8c96ba2389a7bd340e0d019c

SHA1
dd4a62c07f3bcbc9eda40ef610618b9384ddadaf

SHA256
b835166273fa1cec6e364aff2b99c016676d3262fe6f5b19490dfeb52dd70a82

SHA512
732893be25fe0de2375dd294311f676aee13c2a66e7f0252bbcf19a7aceeec1b501fc9a5602bd02b8afaef8ea09e20f74b185d30741652a05c011384ff1c1855

Download Submit
C:\Windows\system\explorer.exe

Filesize
66KB

MD5
275b287a9f226e4980ada098a616afc5

SHA1
0b30c13caa74d3f4c32a690d36c62ad81bb35a10

SHA256
c642575cb4b9fd49a66f51e43805d545eda0ac3f13f173c4063ce365afbe7580

SHA512
dc84e242273b8c4cd381c442e499a4d3b114fcd3f5f0e00cf59ae556ef2350c7920b2d6d28d751853cf46894413091fd0e100e5a660d57619a3a2d86800b06b2

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
66KB

MD5
6d2e53e2f2131299063980f93a2b1cdb

SHA1
18fb9fd0849e52f381d118143d200c619056a553

SHA256
259fee57dc0ea54c20ab5b52514727bfd5351b4fd474896596c40eb79c18f9c8

SHA512
93453e3d718070a0042fc561ab977f65076008c3843b9172b3069a58d24307fdca5f04c313aba32087a93d7755d8de1fad48a8498d184862d26da8afc97f762a

Download Submit
\Windows\system\svchost.exe

Filesize
66KB

MD5
2ceba93d1d7271d6dc04b4374f35fe95

SHA1
9cf3e06e88247c42d022e04f8cc2ea36f4f3101c

SHA256
e4fbfa932530f6b70f1c41ba23702a6bd072f6e22d07cb5945a99afef074b900

SHA512
a6ee782683eaa89cd47739198888c60a3b6850674c093afeb5d1bf59d72978b14fced08eb9d5eee83913b702c12a0f12fd6148389972ca405777ee4a2aec6037

Download Submit
memory/1728-20-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1728-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1728-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1728-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1728-93-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1728-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1728-24-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1728-36-0x00000000025C0000-0x00000000025F1000-memory.dmp

Filesize
196KB

Download
memory/2220-81-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2220-59-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2220-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2220-17-0x00000000025F0000-0x0000000002621000-memory.dmp

Filesize
196KB

Download
memory/2220-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2220-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2220-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2220-6-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2220-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2436-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2436-69-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2608-56-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2608-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2608-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2608-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2716-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2716-54-0x00000000026A0000-0x00000000026D1000-memory.dmp

Filesize
196KB

Download
memory/2716-38-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2716-55-0x00000000026A0000-0x00000000026D1000-memory.dmp

Filesize
196KB

Download
memory/2716-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2716-37-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download