Overview

overview

10

Static

static

3

37fb2a09a4...cs.exe

windows7-x64

10

37fb2a09a4...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37fb2a09a4a643cace8f4676cc838a70_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    37fb2a09a4a643cace8f4676cc838a70

  • SHA1

    1682e4be6bd40d1eca2c36bdf65bef8400fdd01d

  • SHA256

    725170bf2391fec3b2c4e9140fe18e0ec462f5e3233d047412ec61f9217eba32

  • SHA512

    aefa22382c2cf095b2f00429f4939cbc663608abcefe628de800f6ccdb4e452f165c3bd1990a26c01e54c40edd049d14c97f914638ba67e30fc55a57f4be64a9

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuH:7WNqkOJWmo1HpM0MkTUmuH

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37fb2a09a4a643cace8f4676cc838a70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\37fb2a09a4a643cace8f4676cc838a70_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1124
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5920
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1356
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1676
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:5628
          • C:\Windows\SysWOW64\at.exe
            at 20:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1832
            • C:\Windows\SysWOW64\at.exe
              at 20:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3348
              • C:\Windows\SysWOW64\at.exe
                at 20:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2852

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          892cb4ec44088d20eb8665c6147624a3

          SHA1

          18166d958a95be64264d1399913ceced362d9b52

          SHA256

          484284945e81f47fcc143f7c25a73887c8468bf443f9bd4a37919c4e9eb888ae

          SHA512

          7bdf90b234eba1466b790e8210509648eb4448cdd6ad6d2bc264dfcf3c1c191a63c7083876a3bfdbf0382541b6782ae8b02fe42b42f99f5c8be38019d17495eb

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          65KB

          MD5

          9f07049d7189916fc9ef9831d03c6a75

          SHA1

          0110d527feab9552ba7b057b0284bfd670cd9262

          SHA256

          ede8d8a41932413c3232f741ef415f2fe0bf45c4420c0ae1d25c80be47a3e485

          SHA512

          1e25c16d90e2c118889acda11d231b008666ba05515e1293d892141824725351bd12c4403b7f1e362ff7458aff3c69903caecfc613982dd51f2e31d28bed3304

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          3b3598615290358a07a24c45033b5722

          SHA1

          90368519f6bcb5988f74d51930ab2543420a6d96

          SHA256

          c55d971a7e6791ee45f625366e4e9627e271572be584b3bce7aa560eea345624

          SHA512

          4c7569be9dcd85ea03da78d5f2f23d8a48497c5cef5bb22866b019abac7ac13c467e2770ff285e7664930c3d8294d282a3611e840436e4d2f14d70bf045161cd

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          65KB

          MD5

          2d1f2f100dbfb98b6c49874a7ee34452

          SHA1

          24b9b152c75086569a874cf04debf3790c892879

          SHA256

          4ff0d09db3334465bd45465d8a7d565c75444b1de566d5f7ab83c1d54fe5e57c

          SHA512

          8973e7f3c51f1799835d02959a3902d8632fb043f54de1fe1c663bb5a1ee8cec4d6850be312b9a242ca8b1cef1a6f37b8bb7f2a06b7a8d35261cdb83d9ac5a1c

          Download Submit

        • \??\PIPE\atsvc
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit

        • memory/1124-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1124-2-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1124-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1124-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1124-57-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1124-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1124-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1356-25-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1356-24-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1356-33-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1356-26-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1356-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1676-36-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1676-38-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1676-43-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1676-61-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5628-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5628-45-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5920-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5920-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5920-70-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5920-13-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download