Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
5353c17622c84c5d61329c3b195712b0
-
SHA1
9beff5f14683414e92dcc390c8a8fb62a521d761
-
SHA256
7dd4ee56498df7371fde30b613ed4c9a3ed689e1a95ad94711834362daea072a
-
SHA512
0f6499d49d6af9908b220c2473a57b0cf20af2ab399565bd29924fb6ca52ecdd2040caf87cb50b4479d3a60ffdf9845183efaf9bc6a42137243f7005f088341b
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuL:7WNqkOJWmo1HpM0MkTUmuL
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule behavioral2/memory/1092-37-0x0000000075850000-0x00000000759AD000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2460 explorer.exe 1268 spoolsv.exe 1092 svchost.exe 4188 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exespoolsv.exesvchost.exe5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exedescription ioc process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exeexplorer.exesvchost.exepid process 816 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe 816 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 1092 svchost.exe 1092 svchost.exe 1092 svchost.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 1092 svchost.exe 2460 explorer.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 1092 svchost.exe 2460 explorer.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe 2460 explorer.exe 1092 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2460 explorer.exe 1092 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 816 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe 816 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe 2460 explorer.exe 2460 explorer.exe 1268 spoolsv.exe 1268 spoolsv.exe 1092 svchost.exe 1092 svchost.exe 4188 spoolsv.exe 4188 spoolsv.exe 2460 explorer.exe 2460 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 816 wrote to memory of 2460 816 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe explorer.exe PID 816 wrote to memory of 2460 816 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe explorer.exe PID 816 wrote to memory of 2460 816 5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe explorer.exe PID 2460 wrote to memory of 1268 2460 explorer.exe spoolsv.exe PID 2460 wrote to memory of 1268 2460 explorer.exe spoolsv.exe PID 2460 wrote to memory of 1268 2460 explorer.exe spoolsv.exe PID 1268 wrote to memory of 1092 1268 spoolsv.exe svchost.exe PID 1268 wrote to memory of 1092 1268 spoolsv.exe svchost.exe PID 1268 wrote to memory of 1092 1268 spoolsv.exe svchost.exe PID 1092 wrote to memory of 4188 1092 svchost.exe spoolsv.exe PID 1092 wrote to memory of 4188 1092 svchost.exe spoolsv.exe PID 1092 wrote to memory of 4188 1092 svchost.exe spoolsv.exe PID 1092 wrote to memory of 2316 1092 svchost.exe at.exe PID 1092 wrote to memory of 2316 1092 svchost.exe at.exe PID 1092 wrote to memory of 2316 1092 svchost.exe at.exe PID 1092 wrote to memory of 392 1092 svchost.exe at.exe PID 1092 wrote to memory of 392 1092 svchost.exe at.exe PID 1092 wrote to memory of 392 1092 svchost.exe at.exe PID 1092 wrote to memory of 1684 1092 svchost.exe at.exe PID 1092 wrote to memory of 1684 1092 svchost.exe at.exe PID 1092 wrote to memory of 1684 1092 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5353c17622c84c5d61329c3b195712b0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 23:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
65KB
MD5ef230dca5d30fb6910becc2c9acae4cc
SHA1b98930c8ba82658931c1da8a8353ca2935219c57
SHA2560b99be84225efbee38a025ae790baa7930752d3b81204308631e9bf3c99e11b3
SHA5127609f2b779112e7d465703ebadcb84f464e939b92726292a1e0165696aba77e53150ade290f07a174e43b43caa7a46433152e4d5a303bb9d11f4411f282b9459
-
C:\Windows\System\explorer.exeFilesize
65KB
MD552c087118aa49ab60c4e2dc3f987da66
SHA11206e1b825a0f787bd9b5f7162641c76929889cd
SHA256eba44f55536b8f38a68e5f2f905a265a9e842fae56a0d8e6bc50e028b4dc2275
SHA5123825ba23c8db46cffca296dcf576acf14c8dd9903b9dc08675b2a200d4d7a0e9cb6da13dce226939499045b255865236a48d930c01ee8aac7d99dd28295e3888
-
C:\Windows\System\spoolsv.exeFilesize
65KB
MD568606175898873efeb95b67c9ed162f6
SHA112e6931f133358d995a8436b0967a6873ef971c7
SHA25619b240f44d7c1d1d3285857257034687b29ea3fe1f7579c52847d4f9db925e01
SHA5129cb35fdba1c87dc7e98b067b3eef0da4ffa8f56a91da7c860233b2b5029111c236321fe89ae116fa9a2d30e0ceb19dfb0ad7a8a9ca8cf2cacefd2b6e22c16a26
-
\??\c:\windows\system\svchost.exeFilesize
65KB
MD549242c07399f5fad2f4713abf431f4d5
SHA17c13be97be79d7959e883cc1b88324fa136759ac
SHA256629c89de8f43b119bf5d44209a35d983d78d828ce4d788d32a98405864a668c2
SHA512637b79ccd97fea4112a6778f6b2338421d93c9a75837630ac14ce4b8bcb7b84327aeabd45431c57f62f06f3f19e6e021f0281b41a8d03bb7df6545a8b1952296
-
memory/816-57-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/816-4-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/816-2-0x0000000075850000-0x00000000759AD000-memory.dmpFilesize
1.4MB
-
memory/816-56-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/816-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/816-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/816-1-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1092-60-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1092-41-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1092-37-0x0000000075850000-0x00000000759AD000-memory.dmpFilesize
1.4MB
-
memory/1268-30-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1268-26-0x0000000075850000-0x00000000759AD000-memory.dmpFilesize
1.4MB
-
memory/1268-54-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2460-17-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2460-15-0x0000000075850000-0x00000000759AD000-memory.dmpFilesize
1.4MB
-
memory/2460-14-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2460-59-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2460-13-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2460-69-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4188-44-0x0000000075850000-0x00000000759AD000-memory.dmpFilesize
1.4MB
-
memory/4188-50-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB