Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
23-05-2024 01:44
General
-
Target
7047935da79e72c80dcb04217a2d2160_NeikiAnalytics.exe
-
Size
65KB
-
MD5
7047935da79e72c80dcb04217a2d2160
-
SHA1
a1a4185e8170687463b31d0b2db8b30f55787f31
-
SHA256
8f14b3c7d0314cc0c831a7efcf9c33f55312eb426baed4129cbfec03124d73ec
-
SHA512
4bbb10fa969c6a3c1b32008179e3369daf8220caa9c01b05bd7c6ae0da2a56d9b8526e9e5cda3bbbe7dc822520eec6fde9f35f0fea3c11f64a2dea0c3315a5ee
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou6VVVVVVVVVVVVVVVVVVX:7WNqkOJWmo1HpM0MkTUmu6VVVVVVVVVp
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7047935da79e72c80dcb04217a2d2160_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7047935da79e72c80dcb04217a2d2160_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 01:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 01:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 01:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5060dca1298e3fb341414c3ca7908f763
SHA10aaf4d57941a8c9787f7d1e55662ba92d6deecbf
SHA2567eef2ecb28de9e2cdf1abf244ba455e1c98cc5e054588fdb2707203d88fa2939
SHA512dc0385565a98523d0779e7360e089309690afc5074e7d287e6e8098a9b31560b92b732866e0abb76cefb6f52e425fdd368de4ebc73687694942161a8823cfd29
-
Filesize
65KB
MD5772fd1bf71f2d4ab8f797f381cc539a5
SHA1fea66ab4f1c14ecaef1d1ac9ceea74ea02c54aeb
SHA25693ebf6741de31c6d75551c0d6bedc8d3d025b7b5244f67daffe3ce373b4d578c
SHA512887d055137d993a2128e4764f05f18eec9373fffe2122cd3fcc00643f4fc990d73dd153c35b276578ae54c5bce9ba3a77cafe7759e428e657fdf8957f4fc2194
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
65KB
MD51a6ad4a315b5c96a7d32691f2e420b13
SHA1ec3379f3f4cc38b82753ceb104dbbbea0dcb7e82
SHA256e7265f9856059ee76c90963e9e47fd027739e750e2802ae1b9799093282773f1
SHA5128330f1b2a4d4b0066b7a861456e6dfee57e4cd5ea2fb58fea061f5b711a90d5c1e848fefeca7844e2fa3cbb0028c2a32d7d2bf2238f7a16f3df0c6e213ecb80b
-
Filesize
65KB
MD5f2e8e91ed21c96505131dc85119c339d
SHA1d0aaf35ba8d0f6b8c709e0a681a5c07acc54e1a6
SHA256256d99d57a9cfac0fe7531b804402cd9c2ab2c3f7ba7c6fa23c6003ccedad678
SHA51288f0294305221bab0ff2d3343d7ba7471816b9171af70d6674a3dff109e4323fbee713cea22479a401e2811ff28cb8bfdb814e6eeec4b7cb3c062e3cfebab4ea
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
1.3MB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB