Overview

overview

10

Static

static

3

3d364486f0...cs.exe

windows7-x64

10

3d364486f0...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d364486f01d9f10416d369463b5d5fa097192602634dbcd85fd59b75f78dcef_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    082459c751345ef3318b564fc94fbdd0

  • SHA1

    5bac779dfdad36ea77a8714f26fadcc2b45dff9e

  • SHA256

    3d364486f01d9f10416d369463b5d5fa097192602634dbcd85fd59b75f78dcef

  • SHA512

    d5a454f0b367012a2e7d11a627b52f57d322b9022b17ce5b17dd66751be90744c2c728415931f793ef6ba6364ffd5498c8d1cb8d45dc9f2985fd766029604b70

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oul:7WNqkOJWmo1HpM0MkTUmul

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d364486f01d9f10416d369463b5d5fa097192602634dbcd85fd59b75f78dcef_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3d364486f01d9f10416d369463b5d5fa097192602634dbcd85fd59b75f78dcef_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2956
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2316
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2704
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2504
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2480
          • C:\Windows\SysWOW64\at.exe
            at 11:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1860
            • C:\Windows\SysWOW64\at.exe
              at 11:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2116
              • C:\Windows\SysWOW64\at.exe
                at 11:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:344

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          7d7e52c3fda5830876d4ab8313f5dbef

          SHA1

          a1b724c4e32175d2c98f0cd05762c002ab0b0649

          SHA256

          30474c5ec98ae8cec43642c94da4ec42f538dcbc95af527ec3179dab636a5673

          SHA512

          a2f436c7aae68f728b8749ca0a81f7747f3b7ac48cf8fe3de2723db7cbee29c798ee3516e9279a1bb57a7d61b892dfdc82cf39c96815fd654ea418591576873b

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          65KB

          MD5

          57c22d32455f48c145654301dc5b2fc1

          SHA1

          840324815dd081d078982d29bb2be4a4ce93366e

          SHA256

          5c2c24f41adee3ca75eacbdc51fbdb3d134def9edd9b5d51b5a1d9320cb05dab

          SHA512

          e734a6226c0dbbdef0be9fefc305a7a0dea4ad46990454cd38a6682117d3f3ac909026e9cd98ecc5af0ab1b3654de28eb91ed8732f93d75fbe7503ba40f57261

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          65KB

          MD5

          14dcec03b8b01712730351e22eaaefe2

          SHA1

          6a0389c1838c52a99d2d4c6277c8f9748d0a9d6e

          SHA256

          d7d405556e0f7b3b8c52a43ea5e1ba188cedec589cd1699252af8b5481f8cb51

          SHA512

          c26646bcdbf4ffc90808fd42042607f2cbdb41168c86dfd28815d1d543c8eae1ed96811b8eeea08f5b2af646a39c8a9c33e26a9034aa812a7acf5d4dbafc4bb5

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          65KB

          MD5

          1b8f2584a402f9c6b21eb7593bb9d463

          SHA1

          849d7de39d024441fc4803783a62b24ab9a9d3a2

          SHA256

          671800c83a4ab05059604ad4b544f9efb62e769612d67805856ff517be76a45c

          SHA512

          dd507376f769f418b116cdbc98682ccfeac2dae5da959d8886e5ab3adc363f32be12e9d9efea8dbc8499d2ec1863adc8dcdba56b53284534747af2ce34ad0f8a

          Download Submit

        • memory/2316-35-0x00000000030F0000-0x0000000003121000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2316-34-0x00000000030F0000-0x0000000003121000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2316-95-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2316-19-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2316-21-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2316-68-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2316-18-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2316-85-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2480-76-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2480-70-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2504-86-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2504-56-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2504-63-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2504-69-0x00000000025E0000-0x0000000002611000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2504-62-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2704-54-0x0000000002710000-0x0000000002741000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2704-80-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2704-37-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2704-42-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2704-52-0x0000000002710000-0x0000000002741000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2956-53-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2956-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2956-60-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2956-83-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2956-82-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2956-17-0x0000000002C20000-0x0000000002C51000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2956-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2956-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2956-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2956-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download