Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-05-2024 23:39
General
-
Target
59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
-
Size
66KB
-
MD5
59a91a207cfb3c1808b174dbd6a26f00
-
SHA1
60c2d6a252e5dab6ee114b983c0a9425529fe71f
-
SHA256
5c900947a6337340980f03eff4699010e02f106e66cd588c60c4c2a6105775c6
-
SHA512
79ba50e28245a7328584081eba1cc13d78721bfc19e495477e1d7c640409b746dd819d1fe72ba272fe9db32a8302a068377cc5252362163b13fd3a494ca44709
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi9:IeklMMYJhqezw/pXzH9i9
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 23:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD58839c431d81cbcffdaf230c4bc8d6a9c
SHA1125da4bd9c4c3c89dac3bf83dd9651ffb199b874
SHA2562b5536701c755b2af79820d31e583bb845413580908933e3e8fbc3d0cc5d7765
SHA51272cfa7a446c856800d7c10be58dd5ac9b7c7f6ef98d35787c0a6f207fcf70b39180c51e789d363cfd9f219b183f3f42a6b0badf8a314ee17ce46d9ffcaa05b79
-
Filesize
66KB
MD5515142a864a05d2a9f0cb941938996b3
SHA1817a2543340a6995c73aadd0842ef4fa44b03cc2
SHA2569269f9f764c406f7257919ce4cdd95d3a5bbc1d0df4a7d49dceea30edc082a85
SHA512e3d63385f60d6baf7d9880deab912f27ca921b2f626ce471c8878825f956d027e1da2dc9386cbede6fcc9e1e3f17dd25341185b9ddfb407500181d6c12995211
-
Filesize
66KB
MD5897429c540fc853c3d0c1ab4d5b42d3b
SHA17e77c2db8bb62399e5ee7aa481eb81a1897cba95
SHA2561fe42d7331553ba62cf81c09c6a3f6fe22a4434b4ba672a847b11d4309a03c91
SHA5126f15e5fc86b0a70b22bd7901a3b74c99f9fdf350752087bc94edbdd21ef3aa014469c798b1e5d2ad28e7d74d5d457d526869dced3a5248477f6c259272b3f1c5
-
Filesize
66KB
MD59824e2b182fa6abb7c4d4f25fac42d34
SHA1eebe64992dfe48219f12eb59723bbebf78491a38
SHA2561ef65169c6aa134ada6efcf8755beb10084033609cd2c6a2e5f486bdc9951d32
SHA5126b321e1218a551bfdf745e26c9e9ed2849a9fd13fb9a5832c60aeb5cb2ca875fc4b8af2b0165598c86c765567711ecc99da13ee6bb1307f0ae5f5cfa6d954948
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
1.3MB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB