Overview

overview

10

Static

static

3

77dc329a5d...cs.exe

windows7-x64

10

77dc329a5d...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 02:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    77dc329a5d5f88b45c6f2e390d9268b0

  • SHA1

    a30e2182426ed83fb449475faa401786d84f53f8

  • SHA256

    2f9489b74ce81a0119b8f5b6581d4f015858ec435ca76c521a7f4fd611254272

  • SHA512

    46c92d0dd8d3d718bc1063cb065f39048af72501d0e3847588c3bf98f570ba949fd57bd010e2ceef25e543ae0f07d193a24ad5fad5c79d4f8267dc91d4c1d026

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXim:IeklMMYJhqezw/pXzH9im

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\77dc329a5d5f88b45c6f2e390d9268b0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2564
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2252
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4912
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2712
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2836
          • C:\Windows\SysWOW64\at.exe
            at 02:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2296
            • C:\Windows\SysWOW64\at.exe
              at 02:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:620
              • C:\Windows\SysWOW64\at.exe
                at 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4592

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          acc778d91c56e5a23c038327e984e623

          SHA1

          d92823733fe33e6cc6ee3b561725e21983b89f14

          SHA256

          de7b519663ffd551356ec282b8d70ed72ec9fb25f7b53b296586d5f0791bf8df

          SHA512

          32f4e3dbe7b14d4acf781343b542462ff0a300138042d572c7947028165a6f125bc73209caac6787a17ed1a604a99f0215c6dc9e6dda21ea537a5ccb8a3245f6

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          c4af92bad989263a8fffd002f001a8b9

          SHA1

          c893fdccc0b107249f42473def33868b0c9336fe

          SHA256

          64e30d9f47df974977df5d6f8068c8742fda76b013f0a67d209a8afbdba8919b

          SHA512

          f93f6b3ad46c2ebcbbd8eb01808fc447905135d488565f968099e636ef79fa693ac44a3c95258505cd5568edc8c73b865dce7d7456f770ceca9f0f45708c6885

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          f2f4653c5987880f5efa5b3ccb7c78f7

          SHA1

          cff2e6dfe309f6630470031ccaa0d94b91294164

          SHA256

          313e393ccf21bbad5882230890f36d231cb283bf2688d4b932883a9f96eded39

          SHA512

          0e60a9351987a8313d3c5d3a21b47ef44c2d557860b46bca459aac0beb8fca511958a022c47c57d6ebc77f0001b6a0f9085e01a2c08cb40fe27fdefa7e864b39

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          433df4c2b3b24e02d922e10b46553f70

          SHA1

          bbf1e913e55d460d88b4a7ef0451cfd16bfe218b

          SHA256

          be3d14bd4d06c29fe34bcd1a13d9272d98d36eeba4d8357775a52515d164e823

          SHA512

          e01a5320f3e3cd8f46b8546c981beb7213cc4e129f10f959a704367d5dc954462f6556c9ab2b3eafa41ce3de80c756bcb9380cc87b6a95a9e1c9d7e025da05b6

          Download Submit

        • memory/2252-15-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2252-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2252-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2252-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2252-13-0x00000000751D0000-0x000000007532D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2564-56-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2564-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2564-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2564-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2564-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2564-2-0x00000000751D0000-0x000000007532D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2564-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2712-36-0x00000000751D0000-0x000000007532D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2712-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2712-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2836-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2836-43-0x00000000751D0000-0x000000007532D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4912-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4912-25-0x00000000751D0000-0x000000007532D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4912-30-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download