Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 02:33
General
-
Target
78be1bd781eda78d3bf9498afd08cb20_NeikiAnalytics.exe
-
Size
66KB
-
MD5
78be1bd781eda78d3bf9498afd08cb20
-
SHA1
3f463dd6c95369c93fdb8fd22049cd143682ff87
-
SHA256
f5c53268ac1fa948e4521bee71c8476411abe8a299e29436ed077c26fb0fa633
-
SHA512
9b9438094353e3fb84bdd78822a5387aa8bcf069f6c947b77ee44f78b3484f9bff2ad787b7b62d1f21fe20d6ccc6b9f7e9977c16dee584c4beb2462a60356505
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiN:IeklMMYJhqezw/pXzH9iN
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\78be1bd781eda78d3bf9498afd08cb20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78be1bd781eda78d3bf9498afd08cb20_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 02:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 02:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 02:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD51711352878d75287f4502718843b89bf
SHA1fa357f2003feeca95ee68facca04669f2e292395
SHA256a9d5e2690aad674694b10c1fb4f487a7c6701bb938ddd4294b273c632b388177
SHA5126fabee418270fe4c380e6f3318dfbc37adef49bb1596f2ef6b751cef110a99764d65b9788089f012682c05f5a387a4f5062f1d30ce74a1091144dc9341d6f973
-
Filesize
66KB
MD5b5bbc13e4952668c989a08c6a307e13d
SHA17ee272000a480d8fe61b4fab999b42aa51ff676a
SHA25604df20bbbebd7ecf793e957154531d65d408a68824da1ef04ed791ef61caa910
SHA5127768e82e1b1a8708b1268e313c76f0add41b5ee5f588734119eb47976e2de01e8f1a14023e4ffbaf5a84b12e2c710162f87c3336f66a7c900f7de7211cabdc51
-
Filesize
66KB
MD568c549e08437d7dd6392c64f67abf8da
SHA1c7336d4559f7214d74d6e8fe376a41667e4af501
SHA256360bc66b5c7560d8dcd848078281c6d8740dce4cd962b727a335786ddea849e7
SHA5128cc47301612b60fcdd206dea73a000d8a692831d6c24a14cc856e76a5f6a4a1cdb4e1732b90754d6fbd0e7b5168693fb554de95a50bb81b4ebe7905c0bd5845e
-
Filesize
66KB
MD5f0f09e06915dd0d68adc0b8e4416daf4
SHA1da148997716ccf0803b5ee4d265e9c00036722b5
SHA25647dd83571a2920f8a41d14281e9afaf583527f6dd4b658772886976f82cff8a4
SHA512875985bd97b3fab57a64db144adda9e0cf5e55a6a718583a528e7a806871c7e1c98eb56feb085da92713e3679075190bb89b62b8cba739773f7c46e35c501107
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
1.4MB
-
Filesize
16KB