2f9489b74ce81a0119b8f5b6581d4f015858ec435ca76c521a7f4fd611254272

General

Target

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
Size

66KB
MD5

77dc329a5d5f88b45c6f2e390d9268b0
SHA1

a30e2182426ed83fb449475faa401786d84f53f8
SHA256

2f9489b74ce81a0119b8f5b6581d4f015858ec435ca76c521a7f4fd611254272
SHA512

46c92d0dd8d3d718bc1063cb065f39048af72501d0e3847588c3bf98f570ba949fd57bd010e2ceef25e543ae0f07d193a24ad5fad5c79d4f8267dc91d4c1d026
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXim:IeklMMYJhqezw/pXzH9im

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral2/memory/2712-36-0x00000000751D0000-0x000000007532D000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2252 explorer.exe
4912 spoolsv.exe
2712 svchost.exe
2836 spoolsv.exe

pid	process
2252	explorer.exe
4912	spoolsv.exe
2712	svchost.exe
2836	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
2564	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
2564	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe
2252	explorer.exe
2252	explorer.exe
2712	svchost.exe
2712	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2252 explorer.exe
2712 svchost.exe

pid	process
2252	explorer.exe
2712	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2564	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
2564	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
2252	explorer.exe
2252	explorer.exe
4912	spoolsv.exe
4912	spoolsv.exe
2712	svchost.exe
2712	svchost.exe
2836	spoolsv.exe
2836	spoolsv.exe
2252	explorer.exe
2252	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2564 wrote to memory of 2252	2564	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe	explorer.exe
PID 2564 wrote to memory of 2252	2564	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe	explorer.exe
PID 2564 wrote to memory of 2252	2564	77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe	explorer.exe
PID 2252 wrote to memory of 4912	2252	explorer.exe	spoolsv.exe
PID 2252 wrote to memory of 4912	2252	explorer.exe	spoolsv.exe
PID 2252 wrote to memory of 4912	2252	explorer.exe	spoolsv.exe
PID 4912 wrote to memory of 2712	4912	spoolsv.exe	svchost.exe
PID 4912 wrote to memory of 2712	4912	spoolsv.exe	svchost.exe
PID 4912 wrote to memory of 2712	4912	spoolsv.exe	svchost.exe
PID 2712 wrote to memory of 2836	2712	svchost.exe	spoolsv.exe
PID 2712 wrote to memory of 2836	2712	svchost.exe	spoolsv.exe
PID 2712 wrote to memory of 2836	2712	svchost.exe	spoolsv.exe
PID 2712 wrote to memory of 2296	2712	svchost.exe	at.exe
PID 2712 wrote to memory of 2296	2712	svchost.exe	at.exe
PID 2712 wrote to memory of 2296	2712	svchost.exe	at.exe
PID 2712 wrote to memory of 620	2712	svchost.exe	at.exe
PID 2712 wrote to memory of 620	2712	svchost.exe	at.exe
PID 2712 wrote to memory of 620	2712	svchost.exe	at.exe
PID 2712 wrote to memory of 4592	2712	svchost.exe	at.exe
PID 2712 wrote to memory of 4592	2712	svchost.exe	at.exe
PID 2712 wrote to memory of 4592	2712	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Windows\SysWOW64\at.exe
at 02:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2296

C:\Windows\SysWOW64\at.exe
at 02:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:620

C:\Windows\SysWOW64\at.exe
at 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
acc778d91c56e5a23c038327e984e623

SHA1
d92823733fe33e6cc6ee3b561725e21983b89f14

SHA256
de7b519663ffd551356ec282b8d70ed72ec9fb25f7b53b296586d5f0791bf8df

SHA512
32f4e3dbe7b14d4acf781343b542462ff0a300138042d572c7947028165a6f125bc73209caac6787a17ed1a604a99f0215c6dc9e6dda21ea537a5ccb8a3245f6

Download Submit
C:\Windows\System\explorer.exe
Filesize
66KB

MD5
c4af92bad989263a8fffd002f001a8b9

SHA1
c893fdccc0b107249f42473def33868b0c9336fe

SHA256
64e30d9f47df974977df5d6f8068c8742fda76b013f0a67d209a8afbdba8919b

SHA512
f93f6b3ad46c2ebcbbd8eb01808fc447905135d488565f968099e636ef79fa693ac44a3c95258505cd5568edc8c73b865dce7d7456f770ceca9f0f45708c6885

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
66KB

MD5
f2f4653c5987880f5efa5b3ccb7c78f7

SHA1
cff2e6dfe309f6630470031ccaa0d94b91294164

SHA256
313e393ccf21bbad5882230890f36d231cb283bf2688d4b932883a9f96eded39

SHA512
0e60a9351987a8313d3c5d3a21b47ef44c2d557860b46bca459aac0beb8fca511958a022c47c57d6ebc77f0001b6a0f9085e01a2c08cb40fe27fdefa7e864b39

Download Submit
C:\Windows\System\svchost.exe
Filesize
66KB

MD5
433df4c2b3b24e02d922e10b46553f70

SHA1
bbf1e913e55d460d88b4a7ef0451cfd16bfe218b

SHA256
be3d14bd4d06c29fe34bcd1a13d9272d98d36eeba4d8357775a52515d164e823

SHA512
e01a5320f3e3cd8f46b8546c981beb7213cc4e129f10f959a704367d5dc954462f6556c9ab2b3eafa41ce3de80c756bcb9380cc87b6a95a9e1c9d7e025da05b6

Download Submit
memory/2252-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2252-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2252-69-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2252-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2252-13-0x00000000751D0000-0x000000007532D000-memory.dmp

Filesize
1.4MB

Download
memory/2564-56-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2564-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/2564-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2564-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2564-5-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2564-2-0x00000000751D0000-0x000000007532D000-memory.dmp

Filesize
1.4MB

Download
memory/2564-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2712-36-0x00000000751D0000-0x000000007532D000-memory.dmp

Filesize
1.4MB

Download
memory/2712-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2712-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2836-52-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2836-43-0x00000000751D0000-0x000000007532D000-memory.dmp

Filesize
1.4MB

Download
memory/4912-53-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4912-25-0x00000000751D0000-0x000000007532D000-memory.dmp

Filesize
1.4MB

Download
memory/4912-30-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads