Overview

overview

10

Static

static

3

3d364486f0...cs.exe

windows7-x64

10

3d364486f0...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d364486f01d9f10416d369463b5d5fa097192602634dbcd85fd59b75f78dcef_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    082459c751345ef3318b564fc94fbdd0

  • SHA1

    5bac779dfdad36ea77a8714f26fadcc2b45dff9e

  • SHA256

    3d364486f01d9f10416d369463b5d5fa097192602634dbcd85fd59b75f78dcef

  • SHA512

    d5a454f0b367012a2e7d11a627b52f57d322b9022b17ce5b17dd66751be90744c2c728415931f793ef6ba6364ffd5498c8d1cb8d45dc9f2985fd766029604b70

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oul:7WNqkOJWmo1HpM0MkTUmul

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d364486f01d9f10416d369463b5d5fa097192602634dbcd85fd59b75f78dcef_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3d364486f01d9f10416d369463b5d5fa097192602634dbcd85fd59b75f78dcef_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2392
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5100
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:692
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2460
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3016
          • C:\Windows\SysWOW64\at.exe
            at 11:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2556
            • C:\Windows\SysWOW64\at.exe
              at 11:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1112
              • C:\Windows\SysWOW64\at.exe
                at 11:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3200

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          3369b1354203d4d70cc3d0990d0e2ae4

          SHA1

          d01b8039262a39a4389eb33af58caf893bbab4ba

          SHA256

          f1cfa27a74fb85fe3a595bd81c48b56417c63ddc880ff4bae8ea1731eca761ae

          SHA512

          29266ff978bd5987d43d6943bebec84bb6634484015ff300d5ccb5b7c69e70208acae4fd6fccaeb114f549dcf1a9b897fae2b4a98e7d4c6d5afa4a0aedec6afd

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          65KB

          MD5

          6a1824a5a3417b5a96214379125755e4

          SHA1

          2e1b84989b5a21dfc33d2616f427fa6f97ff4013

          SHA256

          0e72de8f7ee01701a3eacdeb3b68cf9c51370ba9e7281c46ac9f280b886c31df

          SHA512

          13989620dc9aaf1132deaa1a2251a45ceb3f08e09e17260da137443baf3388635a1747af139a17eb095555ad394aef828ec97a6f7c9ec1125e61820bb664549e

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          6a15e02f921c3c75701ff5f6e03f8f38

          SHA1

          507547c7f74305bb966c4ecc0f6e1e8a5003de6c

          SHA256

          c1e2ddab24e4f6ec5f892a063d9f8117574e57a68aa778838837134b380da1a4

          SHA512

          63a9c0d59b1ef9fef9ca3547d39be3ac1cd1ec7018b2bcd3266046e4e727af120c782914a2d99249a4c7d4864ecbba9468e9a1853137c1980a28d1c68df5296e

          Download Submit

        • \??\c:\windows\system\svchost.exe
          Filesize

          65KB

          MD5

          bde5254d9854efe9d6bb3f726b673934

          SHA1

          858ac9eab8c5f671a2d065f7a6571230daac5607

          SHA256

          63af883763dc56885f7d9d9bc9b8b6df16e236f6b9a7150348b541da29c8511d

          SHA512

          e4d6d7d46d6636ee666b500a6b14e22ea908b655cda35bea4dca6908754f299044254697577b3c1e2c611e8904bb5e916a153464d6cc1fb1745df67f46fe5e95

          Download Submit

        • memory/692-24-0x0000000074DE0000-0x0000000074F3D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/692-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2392-2-0x0000000074DE0000-0x0000000074F3D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2392-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2392-55-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2392-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2392-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2392-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2392-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2392-56-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2460-35-0x0000000074DE0000-0x0000000074F3D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2460-39-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2460-34-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2460-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3016-48-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3016-42-0x0000000074DE0000-0x0000000074F3D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5100-13-0x0000000074DE0000-0x0000000074F3D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5100-15-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5100-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5100-68-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download