Overview

overview

10

Static

static

3

59a91a207c...cs.exe

windows7-x64

10

59a91a207c...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    59a91a207cfb3c1808b174dbd6a26f00

  • SHA1

    60c2d6a252e5dab6ee114b983c0a9425529fe71f

  • SHA256

    5c900947a6337340980f03eff4699010e02f106e66cd588c60c4c2a6105775c6

  • SHA512

    79ba50e28245a7328584081eba1cc13d78721bfc19e495477e1d7c640409b746dd819d1fe72ba272fe9db32a8302a068377cc5252362163b13fd3a494ca44709

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi9:IeklMMYJhqezw/pXzH9i9

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2464
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2156
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3028
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:908
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4876
          • C:\Windows\SysWOW64\at.exe
            at 23:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4076
            • C:\Windows\SysWOW64\at.exe
              at 23:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4972
              • C:\Windows\SysWOW64\at.exe
                at 23:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4280
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:8
          1⤵
            PID:1132

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          3
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Modify Registry

          4
          T1112

          Hide Artifacts

          1
          T1564

          Hidden Files and Directories

          1
          T1564.001

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mrsys.exe
            Filesize

            66KB

            MD5

            814c0e2bfd1a276d57625a79ad190a1d

            SHA1

            f015412216cd5af5a8adcf10404bca7894818103

            SHA256

            64f26af2765cdf07f5f23cc9a1bf558c741da3e127718f42c8182b931fe04fc4

            SHA512

            93f0044ad5114e9d00837bd86cc1385adbd9a13dd5a21291f3f94f684776c9995a714ad44795fe89e0c22206980a41574d376ff7316ac59f8e0b0c1459ce05ce

            Download Submit
          • C:\Windows\System\explorer.exe
            Filesize

            66KB

            MD5

            b4bab321b126d182d3a0aed9208284ab

            SHA1

            db79c2bb88516a9f16df8608a4dfb04885df5c8e

            SHA256

            a7b5a31e13a4ee91a0444647a2c1c218678e7b3e07a73e1bdf226b1b521b5e07

            SHA512

            fbf29721151ccead2107ed364e1ac8e7ba9427acc26a82ae89e5f3d429f4bfa34d7c632d2eebb7d0449976d8e1fecacc55d77c59e98f7ee0378d6704c844b35b

            Download Submit
          • C:\Windows\System\spoolsv.exe
            Filesize

            66KB

            MD5

            cd9d4e1cd255323a80ccfee8632cc2a1

            SHA1

            30bedafae3c4c2d9e4918a7cac5ba2c709b405e3

            SHA256

            34ef88b0be856d4ae805fb09175cc90395ddbf0d271718e19cdf080640a94fa7

            SHA512

            16a3328014ca3f88067ca7f6ddc305b245ba399c81ea96143094c86e582571f40638b851e42eecb98da0760ecea632fafdfa81e04f588cc71102d235cb307c5a

            Download Submit
          • C:\Windows\System\svchost.exe
            Filesize

            66KB

            MD5

            9824e2b182fa6abb7c4d4f25fac42d34

            SHA1

            eebe64992dfe48219f12eb59723bbebf78491a38

            SHA256

            1ef65169c6aa134ada6efcf8755beb10084033609cd2c6a2e5f486bdc9951d32

            SHA512

            6b321e1218a551bfdf745e26c9e9ed2849a9fd13fb9a5832c60aeb5cb2ca875fc4b8af2b0165598c86c765567711ecc99da13ee6bb1307f0ae5f5cfa6d954948

            Download Submit
          • memory/908-59-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/908-40-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/908-36-0x0000000074B80000-0x0000000074CDD000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/2156-15-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/2156-13-0x0000000074B80000-0x0000000074CDD000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/2156-68-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/2156-57-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/2464-2-0x0000000074B80000-0x0000000074CDD000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/2464-0-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/2464-4-0x0000000000401000-0x000000000042E000-memory.dmp
            Filesize

            180KB

            Download
          • memory/2464-3-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/2464-54-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/2464-55-0x0000000000401000-0x000000000042E000-memory.dmp
            Filesize

            180KB

            Download
          • memory/2464-1-0x00000000001C0000-0x00000000001C4000-memory.dmp
            Filesize

            16KB

            Download
          • memory/3028-53-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/3028-29-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/3028-25-0x0000000074B80000-0x0000000074CDD000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/3028-24-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download
          • memory/4876-43-0x0000000074B80000-0x0000000074CDD000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/4876-49-0x0000000000400000-0x0000000000431000-memory.dmp
            Filesize

            196KB

            Download