Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
23-05-2024 01:23
General
-
Target
6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
-
Size
65KB
-
MD5
6c75b0ea90c3768ef4f8f47dffa97c60
-
SHA1
e90b75636f9b2b6a0e996d43c1314076cd3defa1
-
SHA256
b4eade9fdb0d637e3744158386b2e3c99050893f5ddf68fdc5be4670ace102ef
-
SHA512
d47b754c1b13bdbcc1bf36fcecfbc9efc147a7deeef769314f975b53f113c43d273e15a06630bd21157d8a038692e479b78b862e3878ba513f015f407ab9cf20
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuP:7WNqkOJWmo1HpM0MkTUmuP
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 01:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 01:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 01:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5e2ac0a6e857c4e080eb02363e3726753
SHA13d57503efca3f3390705523794461c1addea2486
SHA25649dd5d7826b6fa571941eec9036b4fa5a90da7781ff236b2dfc15619888d0a83
SHA51231aa61ae2141233b2859c1c10eb9b399960f684517c4698f772f4e53b892b3fe4e2f48f7dab641e44efd4ee1f483473e2a4167db6b4c126d3fa1d49e99c6d93f
-
Filesize
65KB
MD59ddb16bc5a7a10175ef6b7a3bdf6008f
SHA154f235a75646c6586afc99b6a1a4ceec0892ebad
SHA256326a15ec3b5bc87dd0d0c6cae94f9720ca5c8ec3217ee219fb0f40bd9e19b51d
SHA51230e19484f9d01fa69392585f86d0c7020acbf4ec334febea1802e606c7af0659736028d17fe9e5ea5f99e25154d327975df76941a22f0418d59817cdbf63ab67
-
Filesize
65KB
MD500fc907c9d920a9a78df5bcf93a061c4
SHA1af6261b7b1ecd056b51b353dedcec09425316da3
SHA2560ab75f38d38a15f5cbc101a568353e33cca0967cabce905873f5679c8b7e2048
SHA5129cae7cb51bac6f6d9761519052d97d45f8cc49533fac8f741ff8cca2ede9313426e999c1b833ec4ea7a306bde88f748bf475671f9021d4e3cbbc1597fe3aae33
-
Filesize
65KB
MD58417a07948d221febcd36064645a7d65
SHA1990c4b8960152899be5da885eed0ab053a9719d2
SHA2566eb20d0e50360df4739383fde98784b395d8e09515fc71298f479e4b172d8937
SHA512e3c2d872edef2bf4faae3357f54a9343ea49d026be09f13177e5e78f305ce5f2c10edb58f9c49351b96528702f06dceafe965a47768f1f0eeb9fdf21e503dd23
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
1.3MB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB