Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
5353c17622c84c5d61329c3b195712b0
-
SHA1
9beff5f14683414e92dcc390c8a8fb62a521d761
-
SHA256
7dd4ee56498df7371fde30b613ed4c9a3ed689e1a95ad94711834362daea072a
-
SHA512
0f6499d49d6af9908b220c2473a57b0cf20af2ab399565bd29924fb6ca52ecdd2040caf87cb50b4479d3a60ffdf9845183efaf9bc6a42137243f7005f088341b
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuL:7WNqkOJWmo1HpM0MkTUmuL
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule behavioral1/memory/2752-54-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2080 explorer.exe 2776 spoolsv.exe 2752 svchost.exe 2680 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 2132 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe 2132 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe 2080 explorer.exe 2080 explorer.exe 2776 spoolsv.exe 2776 spoolsv.exe 2752 svchost.exe 2752 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exeexplorer.exe5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exeexplorer.exesvchost.exepid process 2132 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe 2080 explorer.exe 2080 explorer.exe 2080 explorer.exe 2080 explorer.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2752 svchost.exe 2080 explorer.exe 2080 explorer.exe 2752 svchost.exe 2752 svchost.exe 2080 explorer.exe 2080 explorer.exe 2752 svchost.exe 2752 svchost.exe 2080 explorer.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2752 svchost.exe 2080 explorer.exe 2080 explorer.exe 2752 svchost.exe 2752 svchost.exe 2080 explorer.exe 2080 explorer.exe 2752 svchost.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2080 explorer.exe 2752 svchost.exe 2080 explorer.exe 2752 svchost.exe 2752 svchost.exe 2080 explorer.exe 2080 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2080 explorer.exe 2752 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2132 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe 2132 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe 2080 explorer.exe 2080 explorer.exe 2776 spoolsv.exe 2776 spoolsv.exe 2752 svchost.exe 2752 svchost.exe 2680 spoolsv.exe 2680 spoolsv.exe 2080 explorer.exe 2080 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2132 wrote to memory of 2080 2132 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe explorer.exe PID 2132 wrote to memory of 2080 2132 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe explorer.exe PID 2132 wrote to memory of 2080 2132 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe explorer.exe PID 2132 wrote to memory of 2080 2132 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe explorer.exe PID 2080 wrote to memory of 2776 2080 explorer.exe spoolsv.exe PID 2080 wrote to memory of 2776 2080 explorer.exe spoolsv.exe PID 2080 wrote to memory of 2776 2080 explorer.exe spoolsv.exe PID 2080 wrote to memory of 2776 2080 explorer.exe spoolsv.exe PID 2776 wrote to memory of 2752 2776 spoolsv.exe svchost.exe PID 2776 wrote to memory of 2752 2776 spoolsv.exe svchost.exe PID 2776 wrote to memory of 2752 2776 spoolsv.exe svchost.exe PID 2776 wrote to memory of 2752 2776 spoolsv.exe svchost.exe PID 2752 wrote to memory of 2680 2752 svchost.exe spoolsv.exe PID 2752 wrote to memory of 2680 2752 svchost.exe spoolsv.exe PID 2752 wrote to memory of 2680 2752 svchost.exe spoolsv.exe PID 2752 wrote to memory of 2680 2752 svchost.exe spoolsv.exe PID 2752 wrote to memory of 2008 2752 svchost.exe at.exe PID 2752 wrote to memory of 2008 2752 svchost.exe at.exe PID 2752 wrote to memory of 2008 2752 svchost.exe at.exe PID 2752 wrote to memory of 2008 2752 svchost.exe at.exe PID 2752 wrote to memory of 2804 2752 svchost.exe at.exe PID 2752 wrote to memory of 2804 2752 svchost.exe at.exe PID 2752 wrote to memory of 2804 2752 svchost.exe at.exe PID 2752 wrote to memory of 2804 2752 svchost.exe at.exe PID 2752 wrote to memory of 1804 2752 svchost.exe at.exe PID 2752 wrote to memory of 1804 2752 svchost.exe at.exe PID 2752 wrote to memory of 1804 2752 svchost.exe at.exe PID 2752 wrote to memory of 1804 2752 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 23:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
65KB
MD501489c169b7ec619cf7c69bb325f7d7f
SHA1d645b1f121c53045c4bdbe27de38d91d6007827f
SHA2569b268b7c5b13bcb4091ca566a9b5e1f338757d72b87b1b9933ef268b66535f99
SHA51245908d1c5c321c91bcf0ec0364f3b80bf82825442ce563f411936c2c4e64bc8c508ad8ee01806e258748ae3f3ebaff41d14e518795c5dbb646ca19c339f1bea2
-
C:\Windows\system\svchost.exeFilesize
65KB
MD52c468fc49125a433173bdadc4c26c78c
SHA17beca9f21e87f68696cec372c885522954cf1a0b
SHA2561a3d48754ef8d62816078ce0cf66727d7b80f65d451be7077995bdabe6593c70
SHA512b95610a1be648c2cb2f67585a16c7973916e49f0596e19fb0b4cdeb01fbf92cfbe687bbf604a130542f13adf82e16a1ed6529e28a0a48e29ab372924270b2e64
-
\Windows\system\explorer.exeFilesize
65KB
MD57ee328880b9d6629db1ea66628b656ea
SHA1cb421c1cc14f4003573999892d5b7039c3e26cf8
SHA2562a997c879375c72069338b748e1dba759fdd97bd34d8d9bcf13b4f37dc101fac
SHA512426bd7b1a1ce93631f307b52c437fa9514726eb348f18aedd985703e05ce0272fe70670eb4468d9c2bd8a92dfb31771ea4e8f636a0673bee00a1f23032a1c976
-
\Windows\system\spoolsv.exeFilesize
65KB
MD5099d80ef83b8018f0511560e3ea165ba
SHA142cb7d2601f2f2bdb92f0ca69a310d4aa99be525
SHA25626e65d66527e7f9b7f0a7d1f62338cc98a9f8c7ff65826470f4670e250e6c30d
SHA5125ac20807720c3e77be82a94a472f7f7a2f1f79802a5aed7ae67f0347d7492a650fa0f66a06d73cb8f2ca004e34c6f088d1c2151ba03254b102552cfac97262b5
-
memory/2080-22-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2080-80-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2080-91-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2080-19-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2080-20-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2132-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2132-17-0x0000000002B10000-0x0000000002B41000-memory.dmpFilesize
196KB
-
memory/2132-18-0x0000000002B10000-0x0000000002B41000-memory.dmpFilesize
196KB
-
memory/2132-1-0x0000000000020000-0x0000000000024000-memory.dmpFilesize
16KB
-
memory/2132-4-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2132-2-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2132-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2132-77-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2132-78-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2680-71-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2680-65-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2752-62-0x0000000002530000-0x0000000002561000-memory.dmpFilesize
196KB
-
memory/2752-58-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2752-54-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2752-82-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2776-75-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2776-53-0x0000000002480000-0x00000000024B1000-memory.dmpFilesize
196KB
-
memory/2776-37-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2776-42-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2776-36-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB