Overview

overview

10

Static

static

3

c5be2eaed2...cs.exe

windows7-x64

10

c5be2eaed2...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 20:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c5be2eaed2a940fa4b3545322ebac4a0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    c5be2eaed2a940fa4b3545322ebac4a0

  • SHA1

    280c79589508cc336c6b3bfe424c8e00b9ea3637

  • SHA256

    64ef539c620423838fcb48120111f9b18c1e055d56738066779eeba3abd5a296

  • SHA512

    82023191c21adb460c967c3b4df57210a8bdd9efea84a882d7d4c9a2232bdf9f9d61e2b8f3c200f5a85f8c2f6d34c066adb3f5944b5f5be47751fa5252751c2c

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi511111111111111111111e:IeklMMYJhqezw/pXzH9i51111111111y

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5be2eaed2a940fa4b3545322ebac4a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c5be2eaed2a940fa4b3545322ebac4a0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2660
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4944
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1096
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3864
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1740
          • C:\Windows\SysWOW64\at.exe
            at 20:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3976
            • C:\Windows\SysWOW64\at.exe
              at 20:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2596
              • C:\Windows\SysWOW64\at.exe
                at 20:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1560

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                66KB

                MD5

                f7a17cc89d5d4b6e6aaf22525857eaf2

                SHA1

                600996e880b03baef208347bf4968f5d1c180728

                SHA256

                bcd184b5cb330ac746f4ecd2b3654840eb724aba3c8adefef1f64e79df71a3d9

                SHA512

                dc4e1f848b37ab7e82bc1067d6114394600e59f9ec414dd8d7ac96e154fe5126d0c7359c739b7edc4fdcae3bf63d7c93450e604c530b8fedac23e68f80e8591e

                Download Submit

              • C:\Windows\System\explorer.exe
                Filesize

                66KB

                MD5

                1f5d1a4b428bf445b59a7fddf51a33c9

                SHA1

                0e5dfabc2e3a4f75472843c56d2c3b8826218469

                SHA256

                4a415aec7deeaa191620ad55f9d730115d1ecf638504f681506300ce8231f617

                SHA512

                9d58d8c7b45d1dd4b4db744254729df5f10ca9436904439934c29dcb56f36ef5d603ff104c34312abbc018873f8e37c63d69b2b65e1871ce8b35b885339a1df4

                Download Submit

              • C:\Windows\System\svchost.exe
                Filesize

                66KB

                MD5

                1653662b54956cc7de6cc9ad4ef3cb25

                SHA1

                e68db818fa2692250b5388d54ea63861166abbc6

                SHA256

                c267547e7bbc7bef5aa79f1b1ed9d28405a6153ce9abb148f68c0d31af704b9a

                SHA512

                4e5272b6e36aae431d63a07fb67b2b0f9ada35aae731ec64bb42e857ee6c35a4ab7b52ce73ba2231c4a4a2c4ed5ddae3fa7b9cf27eff3175b4f21d55c6aba7e3

                Download Submit

              • \??\c:\windows\system\spoolsv.exe
                Filesize

                66KB

                MD5

                675ad07ed43cbb09f583dc8dde6a54c4

                SHA1

                684b3aa6c0483283aa1f59978202cd7f8f089907

                SHA256

                95863b54e0eaa412685eded7fd28f3d911059e5308dc127a0d075fb29571adbb

                SHA512

                0a1c7843eb11176f4fbf2342344bfcbc71492664fff911043cd859e61097dc7f2fac0dc9b91292dc5d3898b745d53575b044785b8bedb030f49245efeeb61b1e

                Download Submit

              • memory/1096-26-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1096-55-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1096-32-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1096-27-0x00000000753C0000-0x000000007551D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1740-51-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/1740-45-0x00000000753C0000-0x000000007551D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2660-5-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2660-3-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2660-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

                Filesize

                16KB

                Download

              • memory/2660-57-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/2660-2-0x00000000753C0000-0x000000007551D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2660-58-0x0000000000401000-0x000000000042E000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2660-0-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3864-43-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/3864-38-0x00000000753C0000-0x000000007551D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/3864-62-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4944-14-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4944-15-0x00000000753C0000-0x000000007551D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/4944-17-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4944-13-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4944-60-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download

              • memory/4944-71-0x0000000000400000-0x0000000000431000-memory.dmp

                Filesize

                196KB

                Download