2f9489b74ce81a0119b8f5b6581d4f015858ec435ca76c521a7f4fd611254272

General

Target

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
Size

66KB
MD5

77dc329a5d5f88b45c6f2e390d9268b0
SHA1

a30e2182426ed83fb449475faa401786d84f53f8
SHA256

2f9489b74ce81a0119b8f5b6581d4f015858ec435ca76c521a7f4fd611254272
SHA512

46c92d0dd8d3d718bc1063cb065f39048af72501d0e3847588c3bf98f570ba949fd57bd010e2ceef25e543ae0f07d193a24ad5fad5c79d4f8267dc91d4c1d026
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXim:IeklMMYJhqezw/pXzH9im

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral1/memory/2816-54-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1964 explorer.exe
2584 spoolsv.exe
2816 svchost.exe
2504 spoolsv.exe

pid	process
1964	explorer.exe
2584	spoolsv.exe
2816	svchost.exe
2504	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

pid	process
620	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
620	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
1964	explorer.exe
1964	explorer.exe
2584	spoolsv.exe
2584	spoolsv.exe
2816	svchost.exe
2816	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
620	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
2816	svchost.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe
2816	svchost.exe
1964	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1964 explorer.exe
2816 svchost.exe

pid	process
1964	explorer.exe
2816	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
620	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
620	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
1964	explorer.exe
1964	explorer.exe
2584	spoolsv.exe
2584	spoolsv.exe
2816	svchost.exe
2816	svchost.exe
2504	spoolsv.exe
2504	spoolsv.exe
1964	explorer.exe
1964	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 620 wrote to memory of 1964	620	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe	explorer.exe
PID 620 wrote to memory of 1964	620	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe	explorer.exe
PID 620 wrote to memory of 1964	620	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe	explorer.exe
PID 620 wrote to memory of 1964	620	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe	explorer.exe
PID 1964 wrote to memory of 2584	1964	explorer.exe	spoolsv.exe
PID 1964 wrote to memory of 2584	1964	explorer.exe	spoolsv.exe
PID 1964 wrote to memory of 2584	1964	explorer.exe	spoolsv.exe
PID 1964 wrote to memory of 2584	1964	explorer.exe	spoolsv.exe
PID 2584 wrote to memory of 2816	2584	spoolsv.exe	svchost.exe
PID 2584 wrote to memory of 2816	2584	spoolsv.exe	svchost.exe
PID 2584 wrote to memory of 2816	2584	spoolsv.exe	svchost.exe
PID 2584 wrote to memory of 2816	2584	spoolsv.exe	svchost.exe
PID 2816 wrote to memory of 2504	2816	svchost.exe	spoolsv.exe
PID 2816 wrote to memory of 2504	2816	svchost.exe	spoolsv.exe
PID 2816 wrote to memory of 2504	2816	svchost.exe	spoolsv.exe
PID 2816 wrote to memory of 2504	2816	svchost.exe	spoolsv.exe
PID 2816 wrote to memory of 856	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 856	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 856	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 856	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 2044	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 2044	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 2044	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 2044	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 2392	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 2392	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 2392	2816	svchost.exe	at.exe
PID 2816 wrote to memory of 2392	2816	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\SysWOW64\at.exe
at 02:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:856

C:\Windows\SysWOW64\at.exe
at 02:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2044

C:\Windows\SysWOW64\at.exe
at 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2392

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
b3e6348baee31eb7674dba1ee9e1619e

SHA1
f599d328befff26fe76cf179a7ba7737adf5807e

SHA256
abc74dbe6ed2a7793c11f702ec0d09ba53b75699f749f0a6b23988b5767bb0ef

SHA512
f9ad09920dc0af91c13d1e7ec7098f3adefce8ecde20b390860b27a49c5465ef0dfde06698c631bbbcef88e1eff027a5a9792fbdcd9c56d2a8f4976c7c49e5df

Download Submit
C:\Windows\system\explorer.exe
Filesize
66KB

MD5
f8ac663c88ad72a019504daf14319a81

SHA1
0823e83decda07444173f97c446497069851c797

SHA256
ff8c0f5155b15df12de1d0e0ddc79e6525148483f80318465ce37ec6a4a038c6

SHA512
f52c00106559ed48cd2eb332f7ab700d49e91a67c8a81b234ff1c6101925184be4362148a9ce34108700f63b611a099a44f782a093d5fe50298e8c2793c9689a

Download Submit
\Windows\system\spoolsv.exe
Filesize
66KB

MD5
a782c14fe1d89d93080576c3f76e2fd1

SHA1
b49f006e0f92a481c66917891a07e1c8d6105251

SHA256
910754b74e80718479054cfef0f7af59c537ad9025e735afe78b15213935865e

SHA512
b1b34ffacad1dd441af07d6213b823a6f0fff553572de5fb36e6e281ab365839fe7e985de9330d97a97de773428114cf8d755ffe32874b536e46cfec1f6bf8de

Download Submit
\Windows\system\svchost.exe
Filesize
66KB

MD5
d42203546e37912566881355a294e49c

SHA1
4f19f274ddff95b9228ddfc6740e9571191c2055

SHA256
8aeb8fcc9606e6628f554bdeec8ee6c1421dcf61d761a4ed6febef455061b7a0

SHA512
fc50da50a92a4ffb283cd7c82f5907ab60289935d33f3daf25762d46eecb5d94ea8a7b1fe1aee8c2be61ae856b97c3b58e48ebc428e0721df8120d9618d55655

Download Submit
memory/620-68-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/620-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/620-18-0x0000000002FD0000-0x0000000003001000-memory.dmp

Filesize
196KB

Download
memory/620-17-0x0000000002FD0000-0x0000000003001000-memory.dmp

Filesize
196KB

Download
memory/620-7-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/620-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/620-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/620-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/620-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/620-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-93-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-20-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1964-22-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2504-64-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2504-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2504-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2584-75-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2584-47-0x0000000001D40000-0x0000000001D71000-memory.dmp

Filesize
196KB

Download
memory/2584-36-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2584-44-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2816-69-0x00000000031A0000-0x00000000031D1000-memory.dmp

Filesize
196KB

Download
memory/2816-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2816-54-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2816-53-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2816-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads