b796392631096d35df5cfcff1bf9d9dbd8a05c9b33b4c5bf12fb935aca3ff6e5

General

Target

77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
Size

66KB
MD5

77ba593822aac6cc502aeb7e24392360
SHA1

b35199e43440b4a8e69ba910ffe82ff9a5ecb565
SHA256

b796392631096d35df5cfcff1bf9d9dbd8a05c9b33b4c5bf12fb935aca3ff6e5
SHA512

39c110756d58e5c14541350bc75e0935c6d16bcb2cd36abb08ecb379f715d0ebd68b00bdea1385bac42c4f219ff458c96e8913e8fa10886c943d5a39bbd91da8
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXij:IeklMMYJhqezw/pXzH9ij

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral2/memory/1856-37-0x00000000751A0000-0x00000000752FD000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

532 explorer.exe
1512 spoolsv.exe
1856 svchost.exe
2552 spoolsv.exe

pid	process
532	explorer.exe
1512	spoolsv.exe
1856	svchost.exe
2552	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exespoolsv.exesvchost.exe77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
1972	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
1972	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
532	explorer.exe
532	explorer.exe
532	explorer.exe
532	explorer.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
1856	svchost.exe
1856	svchost.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
1856	svchost.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
1856	svchost.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
1856	svchost.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
1856	svchost.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
1856	svchost.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
1856	svchost.exe
532	explorer.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
532	explorer.exe
1856	svchost.exe
532	explorer.exe
1856	svchost.exe
532	explorer.exe
1856	svchost.exe
532	explorer.exe
1856	svchost.exe
532	explorer.exe
1856	svchost.exe
532	explorer.exe
1856	svchost.exe
532	explorer.exe
1856	svchost.exe
532	explorer.exe
1856	svchost.exe
1856	svchost.exe
532	explorer.exe
532	explorer.exe
1856	svchost.exe
1856	svchost.exe
532	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

532 explorer.exe
1856 svchost.exe

pid	process
532	explorer.exe
1856	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1972	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
1972	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
532	explorer.exe
532	explorer.exe
1512	spoolsv.exe
1512	spoolsv.exe
1856	svchost.exe
1856	svchost.exe
2552	spoolsv.exe
2552	spoolsv.exe
532	explorer.exe
532	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1972 wrote to memory of 532	1972	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe	explorer.exe
PID 1972 wrote to memory of 532	1972	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe	explorer.exe
PID 1972 wrote to memory of 532	1972	77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe	explorer.exe
PID 532 wrote to memory of 1512	532	explorer.exe	spoolsv.exe
PID 532 wrote to memory of 1512	532	explorer.exe	spoolsv.exe
PID 532 wrote to memory of 1512	532	explorer.exe	spoolsv.exe
PID 1512 wrote to memory of 1856	1512	spoolsv.exe	svchost.exe
PID 1512 wrote to memory of 1856	1512	spoolsv.exe	svchost.exe
PID 1512 wrote to memory of 1856	1512	spoolsv.exe	svchost.exe
PID 1856 wrote to memory of 2552	1856	svchost.exe	spoolsv.exe
PID 1856 wrote to memory of 2552	1856	svchost.exe	spoolsv.exe
PID 1856 wrote to memory of 2552	1856	svchost.exe	spoolsv.exe
PID 1856 wrote to memory of 4760	1856	svchost.exe	at.exe
PID 1856 wrote to memory of 4760	1856	svchost.exe	at.exe
PID 1856 wrote to memory of 4760	1856	svchost.exe	at.exe
PID 1856 wrote to memory of 1556	1856	svchost.exe	at.exe
PID 1856 wrote to memory of 1556	1856	svchost.exe	at.exe
PID 1856 wrote to memory of 1556	1856	svchost.exe	at.exe
PID 1856 wrote to memory of 4296	1856	svchost.exe	at.exe
PID 1856 wrote to memory of 4296	1856	svchost.exe	at.exe
PID 1856 wrote to memory of 4296	1856	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77ba593822aac6cc502aeb7e24392360_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\at.exe
at 02:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:4760

C:\Windows\SysWOW64\at.exe
at 02:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1556

C:\Windows\SysWOW64\at.exe
at 02:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
bb69e7cc019a40e26158872e2dc51036

SHA1
76407c23eaba19dcad8eddadac909a0ea3e6b4c3

SHA256
0559bc7d879337e927a0611e99f0de8b3d3be8ba53c6d3c454bc7b0543ce3685

SHA512
06064466381a756af042fdc7a4da07b7f690424e949ab610faf2e433fb12af624788bdcde67665a6d2becf224ca79323e725ae5e696a58941ef2b901487e99a6

Download Submit
C:\Windows\System\explorer.exe
Filesize
66KB

MD5
098e4b9d8e1b4c3772009b125edc322f

SHA1
9e1aaaf433fad0ca326ddb7dd527a9d485f9161d

SHA256
db06e8e9cc79491d8155aa4ab9c37e31db4d1459ed4508ba4dc1bff4b58867a6

SHA512
aa627bc7ac4e5f71ea594ad63c8dc101a3c21571cc12e5f2f9e8a5fa845378d306f780fb62c791ed128ca0c0b2c19d265650ec22524a0dc108aedb89921f0a90

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
66KB

MD5
a4da6691856f44d9eff6afa654e3f04c

SHA1
0209fcea483e4d16bb9639ba67f88bd9dd3a9023

SHA256
91c65de1342655feb1cadebe311501c86e49ba40d79ecd02f37d391d4e69001c

SHA512
034667d280faf393b0175d6ccdbe8efb10393408d4e2fc437b1acfc55ecda518f7601a86ba623e0a15bb15d64050f0bca6eee39752dbd4782f448c7b73c4ec56

Download Submit
C:\Windows\System\svchost.exe
Filesize
66KB

MD5
e1e3832c0c7b30335d705edbb102f25a

SHA1
715aa2c31c73b4614e90603471131494b272254c

SHA256
6b796e8e7f1c46f3252d1c88068576bf23a79ea9676f55fbf70fa7ef6fce9a7a

SHA512
3f6478813d4196ae66ee158adfb982283913a73df4285e15e4ea33f3a71793c6d4c8231273ff4756492380cf09b2a443295524aed5f5f50a020840d1852babb1

Download Submit
memory/532-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/532-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/532-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/532-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/532-14-0x00000000751A0000-0x00000000752FD000-memory.dmp

Filesize
1.4MB

Download
memory/1512-30-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1512-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1512-26-0x00000000751A0000-0x00000000752FD000-memory.dmp

Filesize
1.4MB

Download
memory/1512-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1856-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1856-37-0x00000000751A0000-0x00000000752FD000-memory.dmp

Filesize
1.4MB

Download
memory/1972-56-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1972-44-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1972-2-0x00000000751A0000-0x00000000752FD000-memory.dmp

Filesize
1.4MB

Download
memory/1972-40-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1972-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1972-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1972-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1972-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1972-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/2552-45-0x00000000751A0000-0x00000000752FD000-memory.dmp

Filesize
1.4MB

Download
memory/2552-50-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads