Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 23:39
General
-
Target
59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe
-
Size
66KB
-
MD5
59a91a207cfb3c1808b174dbd6a26f00
-
SHA1
60c2d6a252e5dab6ee114b983c0a9425529fe71f
-
SHA256
5c900947a6337340980f03eff4699010e02f106e66cd588c60c4c2a6105775c6
-
SHA512
79ba50e28245a7328584081eba1cc13d78721bfc19e495477e1d7c640409b746dd819d1fe72ba272fe9db32a8302a068377cc5252362163b13fd3a494ca44709
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi9:IeklMMYJhqezw/pXzH9i9
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\59a91a207cfb3c1808b174dbd6a26f00_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 23:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5814c0e2bfd1a276d57625a79ad190a1d
SHA1f015412216cd5af5a8adcf10404bca7894818103
SHA25664f26af2765cdf07f5f23cc9a1bf558c741da3e127718f42c8182b931fe04fc4
SHA51293f0044ad5114e9d00837bd86cc1385adbd9a13dd5a21291f3f94f684776c9995a714ad44795fe89e0c22206980a41574d376ff7316ac59f8e0b0c1459ce05ce
-
Filesize
66KB
MD5b4bab321b126d182d3a0aed9208284ab
SHA1db79c2bb88516a9f16df8608a4dfb04885df5c8e
SHA256a7b5a31e13a4ee91a0444647a2c1c218678e7b3e07a73e1bdf226b1b521b5e07
SHA512fbf29721151ccead2107ed364e1ac8e7ba9427acc26a82ae89e5f3d429f4bfa34d7c632d2eebb7d0449976d8e1fecacc55d77c59e98f7ee0378d6704c844b35b
-
Filesize
66KB
MD5cd9d4e1cd255323a80ccfee8632cc2a1
SHA130bedafae3c4c2d9e4918a7cac5ba2c709b405e3
SHA25634ef88b0be856d4ae805fb09175cc90395ddbf0d271718e19cdf080640a94fa7
SHA51216a3328014ca3f88067ca7f6ddc305b245ba399c81ea96143094c86e582571f40638b851e42eecb98da0760ecea632fafdfa81e04f588cc71102d235cb307c5a
-
Filesize
66KB
MD59824e2b182fa6abb7c4d4f25fac42d34
SHA1eebe64992dfe48219f12eb59723bbebf78491a38
SHA2561ef65169c6aa134ada6efcf8755beb10084033609cd2c6a2e5f486bdc9951d32
SHA5126b321e1218a551bfdf745e26c9e9ed2849a9fd13fb9a5832c60aeb5cb2ca875fc4b8af2b0165598c86c765567711ecc99da13ee6bb1307f0ae5f5cfa6d954948
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB