Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe
-
Size
65KB
-
MD5
6c75b0ea90c3768ef4f8f47dffa97c60
-
SHA1
e90b75636f9b2b6a0e996d43c1314076cd3defa1
-
SHA256
b4eade9fdb0d637e3744158386b2e3c99050893f5ddf68fdc5be4670ace102ef
-
SHA512
d47b754c1b13bdbcc1bf36fcecfbc9efc147a7deeef769314f975b53f113c43d273e15a06630bd21157d8a038692e479b78b862e3878ba513f015f407ab9cf20
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuP:7WNqkOJWmo1HpM0MkTUmuP
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule behavioral2/memory/4280-37-0x0000000074DD0000-0x0000000074F2D000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 3828 explorer.exe 1228 spoolsv.exe 4280 svchost.exe 4196 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exespoolsv.exesvchost.exe6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exedescription ioc process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exeexplorer.exesvchost.exepid process 3044 6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe 3044 6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe 3828 explorer.exe 3828 explorer.exe 3828 explorer.exe 3828 explorer.exe 3828 explorer.exe 3828 explorer.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 4280 svchost.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 4280 svchost.exe 3828 explorer.exe 3828 explorer.exe 4280 svchost.exe 4280 svchost.exe 3828 explorer.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 4280 svchost.exe 3828 explorer.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 3828 explorer.exe 4280 svchost.exe 4280 svchost.exe 3828 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 3828 explorer.exe 4280 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3044 6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe 3044 6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe 3828 explorer.exe 3828 explorer.exe 1228 spoolsv.exe 1228 spoolsv.exe 4280 svchost.exe 4280 svchost.exe 4196 spoolsv.exe 4196 spoolsv.exe 3828 explorer.exe 3828 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3044 wrote to memory of 3828 3044 6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe explorer.exe PID 3044 wrote to memory of 3828 3044 6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe explorer.exe PID 3044 wrote to memory of 3828 3044 6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe explorer.exe PID 3828 wrote to memory of 1228 3828 explorer.exe spoolsv.exe PID 3828 wrote to memory of 1228 3828 explorer.exe spoolsv.exe PID 3828 wrote to memory of 1228 3828 explorer.exe spoolsv.exe PID 1228 wrote to memory of 4280 1228 spoolsv.exe svchost.exe PID 1228 wrote to memory of 4280 1228 spoolsv.exe svchost.exe PID 1228 wrote to memory of 4280 1228 spoolsv.exe svchost.exe PID 4280 wrote to memory of 4196 4280 svchost.exe spoolsv.exe PID 4280 wrote to memory of 4196 4280 svchost.exe spoolsv.exe PID 4280 wrote to memory of 4196 4280 svchost.exe spoolsv.exe PID 4280 wrote to memory of 1224 4280 svchost.exe at.exe PID 4280 wrote to memory of 1224 4280 svchost.exe at.exe PID 4280 wrote to memory of 1224 4280 svchost.exe at.exe PID 4280 wrote to memory of 672 4280 svchost.exe at.exe PID 4280 wrote to memory of 672 4280 svchost.exe at.exe PID 4280 wrote to memory of 672 4280 svchost.exe at.exe PID 4280 wrote to memory of 3744 4280 svchost.exe at.exe PID 4280 wrote to memory of 3744 4280 svchost.exe at.exe PID 4280 wrote to memory of 3744 4280 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6c75b0ea90c3768ef4f8f47dffa97c60_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 01:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 01:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 01:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
65KB
MD50eeb1ed0fb16c603cee1c475a40997ed
SHA12152f3cfabd3f335e933c422e21c4203af6ec9a6
SHA25636186e7f428662c46df5d09b35f06e7ca05deec7daecea02c92c1731e6a3279a
SHA51285b6f999609b129bcdb05263c68a26700f2e77696b20918606c679ea1e0fe9ba2e68944660233fdafd91f01b94bd577e4fff3a7df88560840d32b677878a6ab6
-
C:\Windows\System\explorer.exeFilesize
65KB
MD570fd4df732a1d67ea7e3164388ac8594
SHA1848da19fca934a9929c2d558943bc41a80503f90
SHA25696abbe85de0e3da6d1519ed9c2032093a4c26409d33affbbef5362a4d36a0ca4
SHA512c60418eef041b20df8d723d85ab9925dd0e1778a2de0405f8ba2bcac7f1035083dcd2eb83edf123934c3f951bb15e0a990a01630eae49df532c816679bdb98f9
-
C:\Windows\System\spoolsv.exeFilesize
65KB
MD54f23b6712f2e938da24a0ad8b6541cf1
SHA1291ad7705c87c9bb4420717c0a362827439b2bc2
SHA25614cab30b8ca869d55982a229ad2c3324aa0084da6eec37a3240a8d5ae7f91d1d
SHA5122013b08f813f6912e814f40e87756e1548d9df04a77087c5b851e754b98a679fb95098a760c3dda0248081bfe7fd3204a950750841b76b2be745bb2b90f53b0f
-
C:\Windows\System\svchost.exeFilesize
65KB
MD5c2f5f18f4174a36553d7c338c2b7a045
SHA1ca00421a71f681fbe89fad127fdc005c10d500d8
SHA256cdda485d00ab3c95dde713a8871f2f1264aacc15339b2b6138fcecbb0bc74cdd
SHA51232f7118bf64b87f473fb31c60f80ebf0e51039da17b4728895cabc1fd53c515cdc8634c6070f438a8ebf8606a2248cff12653c49c14750bd0a6006eb1ae1b466
-
memory/1228-54-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1228-26-0x0000000074DD0000-0x0000000074F2D000-memory.dmpFilesize
1.4MB
-
memory/1228-30-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3044-57-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3044-1-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/3044-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3044-2-0x0000000074DD0000-0x0000000074F2D000-memory.dmpFilesize
1.4MB
-
memory/3044-56-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/3044-5-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/3044-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3044-58-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/3828-15-0x0000000074DD0000-0x0000000074F2D000-memory.dmpFilesize
1.4MB
-
memory/3828-13-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3828-14-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3828-19-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3828-60-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3828-71-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4196-44-0x0000000074DD0000-0x0000000074F2D000-memory.dmpFilesize
1.4MB
-
memory/4196-52-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4280-41-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4280-37-0x0000000074DD0000-0x0000000074F2D000-memory.dmpFilesize
1.4MB
-
memory/4280-62-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB