Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
-
Size
66KB
-
MD5
77ba593822aac6cc502aeb7e24392360
-
SHA1
b35199e43440b4a8e69ba910ffe82ff9a5ecb565
-
SHA256
b796392631096d35df5cfcff1bf9d9dbd8a05c9b33b4c5bf12fb935aca3ff6e5
-
SHA512
39c110756d58e5c14541350bc75e0935c6d16bcb2cd36abb08ecb379f715d0ebd68b00bdea1385bac42c4f219ff458c96e8913e8fa10886c943d5a39bbd91da8
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXij:IeklMMYJhqezw/pXzH9ij
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule behavioral1/memory/2596-55-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2280 explorer.exe 2964 spoolsv.exe 2596 svchost.exe 2128 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 2004 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe 2004 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe 2280 explorer.exe 2280 explorer.exe 2964 spoolsv.exe 2964 spoolsv.exe 2596 svchost.exe 2596 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exesvchost.exe77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exesvchost.exepid process 2004 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2280 explorer.exe 2596 svchost.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2596 svchost.exe 2280 explorer.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2596 svchost.exe 2280 explorer.exe 2280 explorer.exe 2596 svchost.exe 2596 svchost.exe 2280 explorer.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe 2280 explorer.exe 2596 svchost.exe 2596 svchost.exe 2280 explorer.exe 2596 svchost.exe 2280 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2280 explorer.exe 2596 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2004 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe 2004 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe 2280 explorer.exe 2280 explorer.exe 2964 spoolsv.exe 2964 spoolsv.exe 2596 svchost.exe 2596 svchost.exe 2128 spoolsv.exe 2128 spoolsv.exe 2280 explorer.exe 2280 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2004 wrote to memory of 2280 2004 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe explorer.exe PID 2004 wrote to memory of 2280 2004 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe explorer.exe PID 2004 wrote to memory of 2280 2004 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe explorer.exe PID 2004 wrote to memory of 2280 2004 77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe explorer.exe PID 2280 wrote to memory of 2964 2280 explorer.exe spoolsv.exe PID 2280 wrote to memory of 2964 2280 explorer.exe spoolsv.exe PID 2280 wrote to memory of 2964 2280 explorer.exe spoolsv.exe PID 2280 wrote to memory of 2964 2280 explorer.exe spoolsv.exe PID 2964 wrote to memory of 2596 2964 spoolsv.exe svchost.exe PID 2964 wrote to memory of 2596 2964 spoolsv.exe svchost.exe PID 2964 wrote to memory of 2596 2964 spoolsv.exe svchost.exe PID 2964 wrote to memory of 2596 2964 spoolsv.exe svchost.exe PID 2596 wrote to memory of 2128 2596 svchost.exe spoolsv.exe PID 2596 wrote to memory of 2128 2596 svchost.exe spoolsv.exe PID 2596 wrote to memory of 2128 2596 svchost.exe spoolsv.exe PID 2596 wrote to memory of 2128 2596 svchost.exe spoolsv.exe PID 2596 wrote to memory of 2424 2596 svchost.exe at.exe PID 2596 wrote to memory of 2424 2596 svchost.exe at.exe PID 2596 wrote to memory of 2424 2596 svchost.exe at.exe PID 2596 wrote to memory of 2424 2596 svchost.exe at.exe PID 2596 wrote to memory of 956 2596 svchost.exe at.exe PID 2596 wrote to memory of 956 2596 svchost.exe at.exe PID 2596 wrote to memory of 956 2596 svchost.exe at.exe PID 2596 wrote to memory of 956 2596 svchost.exe at.exe PID 2596 wrote to memory of 3060 2596 svchost.exe at.exe PID 2596 wrote to memory of 3060 2596 svchost.exe at.exe PID 2596 wrote to memory of 3060 2596 svchost.exe at.exe PID 2596 wrote to memory of 3060 2596 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 02:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 02:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 02:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
66KB
MD5c4cedc2d51db7993ae92daeec55da8bd
SHA1531cb9c569cd7950628a5399b6df026708d19500
SHA2560bc1ec20aeb93ee8ad67d7c3fcd1705330518bcbe841127f4cc1575316005218
SHA512ec7c4891e3c9c4466ed3ff988726f558e62ea52c2e8dba0dbeb1e3560ee7f58bb897cdc05681d142ab05998f6c983bb82aa268989d63bd1fc9be1d44b0272450
-
C:\Windows\system\spoolsv.exeFilesize
66KB
MD50b2b5f32cf7e0b38e55e77128aff00a5
SHA18b4967d2d279a68202337dbe65e1a168a0081352
SHA2564e75bb672887cd84775599100a069d1c202ab759da1eb2c036244f7d95e7775f
SHA5123d75503f9dddc0b580638ad9a0a3d9cc371d06b1a6cbf3e60ad784df8d9b628a90c45595ca3129ad8a6f6515447d001a7dddca3f6edded4ef246b51df1ad9ea1
-
\??\PIPE\atsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\system\explorer.exeFilesize
66KB
MD51ca84e605995ff6e3b0bf2be559943f5
SHA187daf5c026d99358e9dfc7169ed8637b9b829a2c
SHA256604bba6db93e6e75634838617f6ae12305d8794b54b5180b35a0747b242d628e
SHA512330443e1a15e56c144f4ae2b45e365b9faa3b84ec16cc9b5c3de8b2405fdf278aa39123cf8a9ce5444e9213477809cb6874a929534d024a5ec244d050c8f8534
-
\Windows\system\svchost.exeFilesize
66KB
MD5905fa6b15b4255aa02a531c2b18e2b6a
SHA1b070566c6dd33c7290d76efcdf183b5d4e81c7ee
SHA256d5282953011fa57621614222b7402837d4937178b0cff09b1f12f65345e119c3
SHA51288d0bcec97a99d377e1b8d01e26fde9c1887fe0b0e1bb474739af73e09d6470dcd01fab506947b5f547750bd9854486494e399d878fffbdeb3d42656e54b2310
-
memory/2004-80-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2004-79-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2004-12-0x0000000001D10000-0x0000000001D41000-memory.dmpFilesize
196KB
-
memory/2004-2-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2004-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2004-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2004-18-0x0000000001D10000-0x0000000001D41000-memory.dmpFilesize
196KB
-
memory/2004-53-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2004-4-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2004-1-0x0000000000020000-0x0000000000024000-memory.dmpFilesize
16KB
-
memory/2128-68-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2128-74-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2280-92-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2280-20-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2280-67-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2280-25-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2280-19-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2280-82-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2280-21-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2596-65-0x00000000024C0000-0x00000000024F1000-memory.dmpFilesize
196KB
-
memory/2596-55-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2596-66-0x00000000024C0000-0x00000000024F1000-memory.dmpFilesize
196KB
-
memory/2596-59-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2596-83-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2964-78-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2964-37-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2964-54-0x0000000002460000-0x0000000002491000-memory.dmpFilesize
196KB
-
memory/2964-41-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB