Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 21:40
General
-
Target
426f538e64d49d650dca734cc8157a00_NeikiAnalytics.exe
-
Size
66KB
-
MD5
426f538e64d49d650dca734cc8157a00
-
SHA1
84df011a8c81fa16dfe5b6e9f738c3e84857c462
-
SHA256
4a89cd2c6c8bebcf9e8c4f43977d1e520883f6b8ef08695335d8351a9758ed00
-
SHA512
203537dd2471336b524e1844f1b0ed1185f3645c379a3100044acd088700a4d64e1bba7ec39c299fe36c338a8b7a2446ed008f9b6c12583fedcddef425768f79
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXib:IeklMMYJhqezw/pXzH9ib
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\426f538e64d49d650dca734cc8157a00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\426f538e64d49d650dca734cc8157a00_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 21:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 21:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 21:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
66KB
MD51008aec4193df5ebb3538eca6fda9b03
SHA1aa283cd23a8fff6e73ca2c8279922ed1780a4ab0
SHA256942e2aa3b012a43e49b763fe9196e84f71691fa41b41350dcedc82ea0f8a5c75
SHA51209e42d0d2b9c35b2ce9a9e4ff27dba18297f2494431fe4a3c01a9ed8d4b88d6512fb0bebd03764e80da3c988bdd31935a6c62af058ca15e6fea6a237453ee389
-
C:\Windows\System\explorer.exeFilesize
66KB
MD58d5e090b70ad69b34cc5474a8c2c2178
SHA11fb0e8ccb85fd45a62c1c1152ce24d0743147650
SHA256e8969160b3c0d52b991ff3d5dfcdc2eb1ae705f0f39952749e6297fa01e29726
SHA5126f7bd716939c44661e64f261ea11a2cf1c0ad068f9f7191404b77371c9a89c05305019a1f94582d60013b1541966037ea992c5eea4709c9fd97de62e7bbf8480
-
C:\Windows\System\spoolsv.exeFilesize
66KB
MD5696b1b55867555ab2553ae7d1d4abbc0
SHA14387f9b6dae0e5362cd1ea9f3fcfb45df486b505
SHA256bad91f2bcddabcdd7e012ee3ffa2c8ab32f467094ba7cbc2ad1107204af86e80
SHA512d710b10802d2dcc5f20684ef78140159a406bb322a09db749550e66c0d67d7cd27ae5ba732ac722cc5643f9e427f43ce3999a8c54c4de2c5d747e5ad6145cdb3
-
\??\c:\windows\system\svchost.exeFilesize
66KB
MD596035bae06f0e1de4884b2cbc7fa121d
SHA12091b0f5e3f977a75f282d493d61efa1b703b4d1
SHA256832df126a21b51eb93f3b8a474a07943cf2ed692b07cf808ae0689f86cc8772e
SHA512995eec9f452e08b5e43add016e3b7585a03ac3ab8397d8b1593c6098a55ef9aacc79c3a6672754fa6c1a79b9f4c807ad503a3456045b5fc49356746d7540c525
-
memory/228-70-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/228-59-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/228-13-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/228-14-0x0000000074F70000-0x00000000750CD000-memory.dmpFilesize
1.4MB
-
memory/228-16-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1428-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1428-57-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1428-1-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1428-6-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/1428-2-0x0000000074F70000-0x00000000750CD000-memory.dmpFilesize
1.4MB
-
memory/1428-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1428-56-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1428-58-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2568-61-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2568-37-0x0000000074F70000-0x00000000750CD000-memory.dmpFilesize
1.4MB
-
memory/2568-42-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3276-44-0x0000000074F70000-0x00000000750CD000-memory.dmpFilesize
1.4MB
-
memory/3276-50-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4944-30-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4944-54-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4944-26-0x0000000074F70000-0x00000000750CD000-memory.dmpFilesize
1.4MB
-
memory/4944-25-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB