b796392631096d35df5cfcff1bf9d9dbd8a05c9b33b4c5bf12fb935aca3ff6e5

General

Target

77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
Size

66KB
MD5

77ba593822aac6cc502aeb7e24392360
SHA1

b35199e43440b4a8e69ba910ffe82ff9a5ecb565
SHA256

b796392631096d35df5cfcff1bf9d9dbd8a05c9b33b4c5bf12fb935aca3ff6e5
SHA512

39c110756d58e5c14541350bc75e0935c6d16bcb2cd36abb08ecb379f715d0ebd68b00bdea1385bac42c4f219ff458c96e8913e8fa10886c943d5a39bbd91da8
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXij:IeklMMYJhqezw/pXzH9ij

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral1/memory/2596-55-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2280 explorer.exe
2964 spoolsv.exe
2596 svchost.exe
2128 spoolsv.exe

pid	process
2280	explorer.exe
2964	spoolsv.exe
2596	svchost.exe
2128	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2004	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
2004	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
2280	explorer.exe
2280	explorer.exe
2964	spoolsv.exe
2964	spoolsv.exe
2596	svchost.exe
2596	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exesvchost.exe77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
2004	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2280	explorer.exe
2596	svchost.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2596	svchost.exe
2280	explorer.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2596	svchost.exe
2280	explorer.exe
2280	explorer.exe
2596	svchost.exe
2596	svchost.exe
2280	explorer.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe
2280	explorer.exe
2596	svchost.exe
2596	svchost.exe
2280	explorer.exe
2596	svchost.exe
2280	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2280 explorer.exe
2596 svchost.exe

pid	process
2280	explorer.exe
2596	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2004	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
2004	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
2280	explorer.exe
2280	explorer.exe
2964	spoolsv.exe
2964	spoolsv.exe
2596	svchost.exe
2596	svchost.exe
2128	spoolsv.exe
2128	spoolsv.exe
2280	explorer.exe
2280	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2004 wrote to memory of 2280	2004	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe	explorer.exe
PID 2004 wrote to memory of 2280	2004	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe	explorer.exe
PID 2004 wrote to memory of 2280	2004	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe	explorer.exe
PID 2004 wrote to memory of 2280	2004	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe	explorer.exe
PID 2280 wrote to memory of 2964	2280	explorer.exe	spoolsv.exe
PID 2280 wrote to memory of 2964	2280	explorer.exe	spoolsv.exe
PID 2280 wrote to memory of 2964	2280	explorer.exe	spoolsv.exe
PID 2280 wrote to memory of 2964	2280	explorer.exe	spoolsv.exe
PID 2964 wrote to memory of 2596	2964	spoolsv.exe	svchost.exe
PID 2964 wrote to memory of 2596	2964	spoolsv.exe	svchost.exe
PID 2964 wrote to memory of 2596	2964	spoolsv.exe	svchost.exe
PID 2964 wrote to memory of 2596	2964	spoolsv.exe	svchost.exe
PID 2596 wrote to memory of 2128	2596	svchost.exe	spoolsv.exe
PID 2596 wrote to memory of 2128	2596	svchost.exe	spoolsv.exe
PID 2596 wrote to memory of 2128	2596	svchost.exe	spoolsv.exe
PID 2596 wrote to memory of 2128	2596	svchost.exe	spoolsv.exe
PID 2596 wrote to memory of 2424	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 2424	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 2424	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 2424	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 956	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 956	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 956	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 956	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 3060	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 3060	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 3060	2596	svchost.exe	at.exe
PID 2596 wrote to memory of 3060	2596	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Windows\SysWOW64\at.exe
at 02:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2424

C:\Windows\SysWOW64\at.exe
at 02:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:956

C:\Windows\SysWOW64\at.exe
at 02:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:3060

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
c4cedc2d51db7993ae92daeec55da8bd

SHA1
531cb9c569cd7950628a5399b6df026708d19500

SHA256
0bc1ec20aeb93ee8ad67d7c3fcd1705330518bcbe841127f4cc1575316005218

SHA512
ec7c4891e3c9c4466ed3ff988726f558e62ea52c2e8dba0dbeb1e3560ee7f58bb897cdc05681d142ab05998f6c983bb82aa268989d63bd1fc9be1d44b0272450

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
66KB

MD5
0b2b5f32cf7e0b38e55e77128aff00a5

SHA1
8b4967d2d279a68202337dbe65e1a168a0081352

SHA256
4e75bb672887cd84775599100a069d1c202ab759da1eb2c036244f7d95e7775f

SHA512
3d75503f9dddc0b580638ad9a0a3d9cc371d06b1a6cbf3e60ad784df8d9b628a90c45595ca3129ad8a6f6515447d001a7dddca3f6edded4ef246b51df1ad9ea1

Download Submit
\??\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\system\explorer.exe
Filesize
66KB

MD5
1ca84e605995ff6e3b0bf2be559943f5

SHA1
87daf5c026d99358e9dfc7169ed8637b9b829a2c

SHA256
604bba6db93e6e75634838617f6ae12305d8794b54b5180b35a0747b242d628e

SHA512
330443e1a15e56c144f4ae2b45e365b9faa3b84ec16cc9b5c3de8b2405fdf278aa39123cf8a9ce5444e9213477809cb6874a929534d024a5ec244d050c8f8534

Download Submit
\Windows\system\svchost.exe
Filesize
66KB

MD5
905fa6b15b4255aa02a531c2b18e2b6a

SHA1
b070566c6dd33c7290d76efcdf183b5d4e81c7ee

SHA256
d5282953011fa57621614222b7402837d4937178b0cff09b1f12f65345e119c3

SHA512
88d0bcec97a99d377e1b8d01e26fde9c1887fe0b0e1bb474739af73e09d6470dcd01fab506947b5f547750bd9854486494e399d878fffbdeb3d42656e54b2310

Download Submit
memory/2004-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2004-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2004-12-0x0000000001D10000-0x0000000001D41000-memory.dmp

Filesize
196KB

Download
memory/2004-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2004-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2004-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2004-18-0x0000000001D10000-0x0000000001D41000-memory.dmp

Filesize
196KB

Download
memory/2004-53-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2004-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2004-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2128-68-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2128-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-67-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-21-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2596-65-0x00000000024C0000-0x00000000024F1000-memory.dmp

Filesize
196KB

Download
memory/2596-55-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2596-66-0x00000000024C0000-0x00000000024F1000-memory.dmp

Filesize
196KB

Download
memory/2596-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2596-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2964-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2964-37-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2964-54-0x0000000002460000-0x0000000002491000-memory.dmp

Filesize
196KB

Download
memory/2964-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads