b4eade9fdb0d637e3744158386b2e3c99050893f5ddf68fdc5be4670ace102ef

General

Target

6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
Size

65KB
MD5

6c75b0ea90c3768ef4f8f47dffa97c60
SHA1

e90b75636f9b2b6a0e996d43c1314076cd3defa1
SHA256

b4eade9fdb0d637e3744158386b2e3c99050893f5ddf68fdc5be4670ace102ef
SHA512

d47b754c1b13bdbcc1bf36fcecfbc9efc147a7deeef769314f975b53f113c43d273e15a06630bd21157d8a038692e479b78b862e3878ba513f015f407ab9cf20
SSDEEP

1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuP:7WNqkOJWmo1HpM0MkTUmuP

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral2/memory/4280-37-0x0000000074DD0000-0x0000000074F2D000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3828 explorer.exe
1228 spoolsv.exe
4280 svchost.exe
4196 spoolsv.exe

pid	process
3828	explorer.exe
1228	spoolsv.exe
4280	svchost.exe
4196	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exespoolsv.exesvchost.exe6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
3044	6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
3044	6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
3828	explorer.exe
3828	explorer.exe
3828	explorer.exe
3828	explorer.exe
3828	explorer.exe
3828	explorer.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
4280	svchost.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
4280	svchost.exe
3828	explorer.exe
3828	explorer.exe
4280	svchost.exe
4280	svchost.exe
3828	explorer.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
4280	svchost.exe
3828	explorer.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
3828	explorer.exe
4280	svchost.exe
4280	svchost.exe
3828	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

3828 explorer.exe
4280 svchost.exe

pid	process
3828	explorer.exe
4280	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3044	6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
3044	6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
3828	explorer.exe
3828	explorer.exe
1228	spoolsv.exe
1228	spoolsv.exe
4280	svchost.exe
4280	svchost.exe
4196	spoolsv.exe
4196	spoolsv.exe
3828	explorer.exe
3828	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3044 wrote to memory of 3828	3044	6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe	explorer.exe
PID 3044 wrote to memory of 3828	3044	6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe	explorer.exe
PID 3044 wrote to memory of 3828	3044	6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe	explorer.exe
PID 3828 wrote to memory of 1228	3828	explorer.exe	spoolsv.exe
PID 3828 wrote to memory of 1228	3828	explorer.exe	spoolsv.exe
PID 3828 wrote to memory of 1228	3828	explorer.exe	spoolsv.exe
PID 1228 wrote to memory of 4280	1228	spoolsv.exe	svchost.exe
PID 1228 wrote to memory of 4280	1228	spoolsv.exe	svchost.exe
PID 1228 wrote to memory of 4280	1228	spoolsv.exe	svchost.exe
PID 4280 wrote to memory of 4196	4280	svchost.exe	spoolsv.exe
PID 4280 wrote to memory of 4196	4280	svchost.exe	spoolsv.exe
PID 4280 wrote to memory of 4196	4280	svchost.exe	spoolsv.exe
PID 4280 wrote to memory of 1224	4280	svchost.exe	at.exe
PID 4280 wrote to memory of 1224	4280	svchost.exe	at.exe
PID 4280 wrote to memory of 1224	4280	svchost.exe	at.exe
PID 4280 wrote to memory of 672	4280	svchost.exe	at.exe
PID 4280 wrote to memory of 672	4280	svchost.exe	at.exe
PID 4280 wrote to memory of 672	4280	svchost.exe	at.exe
PID 4280 wrote to memory of 3744	4280	svchost.exe	at.exe
PID 4280 wrote to memory of 3744	4280	svchost.exe	at.exe
PID 4280 wrote to memory of 3744	4280	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Windows\SysWOW64\at.exe
at 01:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1224

C:\Windows\SysWOW64\at.exe
at 01:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:672

C:\Windows\SysWOW64\at.exe
at 01:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:3744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
65KB

MD5
0eeb1ed0fb16c603cee1c475a40997ed

SHA1
2152f3cfabd3f335e933c422e21c4203af6ec9a6

SHA256
36186e7f428662c46df5d09b35f06e7ca05deec7daecea02c92c1731e6a3279a

SHA512
85b6f999609b129bcdb05263c68a26700f2e77696b20918606c679ea1e0fe9ba2e68944660233fdafd91f01b94bd577e4fff3a7df88560840d32b677878a6ab6

Download Submit
C:\Windows\System\explorer.exe
Filesize
65KB

MD5
70fd4df732a1d67ea7e3164388ac8594

SHA1
848da19fca934a9929c2d558943bc41a80503f90

SHA256
96abbe85de0e3da6d1519ed9c2032093a4c26409d33affbbef5362a4d36a0ca4

SHA512
c60418eef041b20df8d723d85ab9925dd0e1778a2de0405f8ba2bcac7f1035083dcd2eb83edf123934c3f951bb15e0a990a01630eae49df532c816679bdb98f9

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
65KB

MD5
4f23b6712f2e938da24a0ad8b6541cf1

SHA1
291ad7705c87c9bb4420717c0a362827439b2bc2

SHA256
14cab30b8ca869d55982a229ad2c3324aa0084da6eec37a3240a8d5ae7f91d1d

SHA512
2013b08f813f6912e814f40e87756e1548d9df04a77087c5b851e754b98a679fb95098a760c3dda0248081bfe7fd3204a950750841b76b2be745bb2b90f53b0f

Download Submit
C:\Windows\System\svchost.exe
Filesize
65KB

MD5
c2f5f18f4174a36553d7c338c2b7a045

SHA1
ca00421a71f681fbe89fad127fdc005c10d500d8

SHA256
cdda485d00ab3c95dde713a8871f2f1264aacc15339b2b6138fcecbb0bc74cdd

SHA512
32f7118bf64b87f473fb31c60f80ebf0e51039da17b4728895cabc1fd53c515cdc8634c6070f438a8ebf8606a2248cff12653c49c14750bd0a6006eb1ae1b466

Download Submit
memory/1228-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1228-26-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

Filesize
1.4MB

Download
memory/1228-30-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3044-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3044-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/3044-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3044-2-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

Filesize
1.4MB

Download
memory/3044-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/3044-5-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3044-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3044-58-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3828-15-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

Filesize
1.4MB

Download
memory/3828-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3828-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3828-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3828-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3828-71-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4196-44-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

Filesize
1.4MB

Download
memory/4196-52-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4280-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4280-37-0x0000000074DD0000-0x0000000074F2D000-memory.dmp

Filesize
1.4MB

Download
memory/4280-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads