5c900947a6337340980f03eff4699010e02f106e66cd588c60c4c2a6105775c6

General

Target

59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
Size

66KB
MD5

59a91a207cfb3c1808b174dbd6a26f00
SHA1

60c2d6a252e5dab6ee114b983c0a9425529fe71f
SHA256

5c900947a6337340980f03eff4699010e02f106e66cd588c60c4c2a6105775c6
SHA512

79ba50e28245a7328584081eba1cc13d78721bfc19e495477e1d7c640409b746dd819d1fe72ba272fe9db32a8302a068377cc5252362163b13fd3a494ca44709
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi9:IeklMMYJhqezw/pXzH9i9

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral1/memory/2912-56-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2232 explorer.exe
1992 spoolsv.exe
2912 svchost.exe
2640 spoolsv.exe

pid	process
2232	explorer.exe
1992	spoolsv.exe
2912	svchost.exe
2640	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2220	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
2220	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
2232	explorer.exe
2232	explorer.exe
1992	spoolsv.exe
1992	spoolsv.exe
2912	svchost.exe
2912	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

spoolsv.exeexplorer.exesvchost.exe59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
2220	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2912	svchost.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2232	explorer.exe
2912	svchost.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe
2232	explorer.exe
2912	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2232 explorer.exe
2912 svchost.exe

pid	process
2232	explorer.exe
2912	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2220	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
2220	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
2232	explorer.exe
2232	explorer.exe
1992	spoolsv.exe
1992	spoolsv.exe
2912	svchost.exe
2912	svchost.exe
2640	spoolsv.exe
2640	spoolsv.exe
2232	explorer.exe
2232	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2220 wrote to memory of 2232	2220	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe	explorer.exe
PID 2220 wrote to memory of 2232	2220	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe	explorer.exe
PID 2220 wrote to memory of 2232	2220	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe	explorer.exe
PID 2220 wrote to memory of 2232	2220	59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe	explorer.exe
PID 2232 wrote to memory of 1992	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 1992	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 1992	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 1992	2232	explorer.exe	spoolsv.exe
PID 1992 wrote to memory of 2912	1992	spoolsv.exe	svchost.exe
PID 1992 wrote to memory of 2912	1992	spoolsv.exe	svchost.exe
PID 1992 wrote to memory of 2912	1992	spoolsv.exe	svchost.exe
PID 1992 wrote to memory of 2912	1992	spoolsv.exe	svchost.exe
PID 2912 wrote to memory of 2640	2912	svchost.exe	spoolsv.exe
PID 2912 wrote to memory of 2640	2912	svchost.exe	spoolsv.exe
PID 2912 wrote to memory of 2640	2912	svchost.exe	spoolsv.exe
PID 2912 wrote to memory of 2640	2912	svchost.exe	spoolsv.exe
PID 2912 wrote to memory of 2724	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 2724	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 2724	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 2724	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 1752	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 1752	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 1752	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 1752	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 2132	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 2132	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 2132	2912	svchost.exe	at.exe
PID 2912 wrote to memory of 2132	2912	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\SysWOW64\at.exe
at 23:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2724

C:\Windows\SysWOW64\at.exe
at 23:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1752

C:\Windows\SysWOW64\at.exe
at 23:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2132

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
8839c431d81cbcffdaf230c4bc8d6a9c

SHA1
125da4bd9c4c3c89dac3bf83dd9651ffb199b874

SHA256
2b5536701c755b2af79820d31e583bb845413580908933e3e8fbc3d0cc5d7765

SHA512
72cfa7a446c856800d7c10be58dd5ac9b7c7f6ef98d35787c0a6f207fcf70b39180c51e789d363cfd9f219b183f3f42a6b0badf8a314ee17ce46d9ffcaa05b79

Download Submit
\Windows\system\explorer.exe
Filesize
66KB

MD5
515142a864a05d2a9f0cb941938996b3

SHA1
817a2543340a6995c73aadd0842ef4fa44b03cc2

SHA256
9269f9f764c406f7257919ce4cdd95d3a5bbc1d0df4a7d49dceea30edc082a85

SHA512
e3d63385f60d6baf7d9880deab912f27ca921b2f626ce471c8878825f956d027e1da2dc9386cbede6fcc9e1e3f17dd25341185b9ddfb407500181d6c12995211

Download Submit
\Windows\system\spoolsv.exe
Filesize
66KB

MD5
897429c540fc853c3d0c1ab4d5b42d3b

SHA1
7e77c2db8bb62399e5ee7aa481eb81a1897cba95

SHA256
1fe42d7331553ba62cf81c09c6a3f6fe22a4434b4ba672a847b11d4309a03c91

SHA512
6f15e5fc86b0a70b22bd7901a3b74c99f9fdf350752087bc94edbdd21ef3aa014469c798b1e5d2ad28e7d74d5d457d526869dced3a5248477f6c259272b3f1c5

Download Submit
\Windows\system\svchost.exe
Filesize
66KB

MD5
9824e2b182fa6abb7c4d4f25fac42d34

SHA1
eebe64992dfe48219f12eb59723bbebf78491a38

SHA256
1ef65169c6aa134ada6efcf8755beb10084033609cd2c6a2e5f486bdc9951d32

SHA512
6b321e1218a551bfdf745e26c9e9ed2849a9fd13fb9a5832c60aeb5cb2ca875fc4b8af2b0165598c86c765567711ecc99da13ee6bb1307f0ae5f5cfa6d954948

Download Submit
memory/1992-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1992-44-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1992-38-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1992-37-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2220-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2220-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2220-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2220-15-0x0000000002720000-0x0000000002751000-memory.dmp

Filesize
196KB

Download
memory/2220-55-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2220-81-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2220-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2220-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2220-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2220-52-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2232-19-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2232-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-93-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-36-0x0000000002C00000-0x0000000002C31000-memory.dmp

Filesize
196KB

Download
memory/2232-35-0x0000000002C00000-0x0000000002C31000-memory.dmp

Filesize
196KB

Download
memory/2640-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2640-68-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2912-56-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2912-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2912-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2912-67-0x0000000002EA0000-0x0000000002ED1000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads