Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 02:58
Static task
static1
Behavioral task
behavioral1
Sample
7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
7d617d2227b39a830549a04ff72de3f0
-
SHA1
03c9f6ea2c44861a594a4d2c129ad9c9d3551279
-
SHA256
cf44e81284e501e7f25764461acc98893a96fbb3e8d7ef9fb67d62e05499163e
-
SHA512
c59b615792b56604ca537860de3084eb8c8d4379990c1c03e507e26b43b6f2d660f57d5a90a658cc871be699f8e815c4d48291b038bb659ff57e373cee798371
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi2:IeklMMYJhqezw/pXzH9i2
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule behavioral2/memory/3508-37-0x0000000075AC0000-0x0000000075C1D000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1008 explorer.exe 3040 spoolsv.exe 3508 svchost.exe 3304 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe 7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exeexplorer.exesvchost.exepid process 740 7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe 740 7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 3508 svchost.exe 3508 svchost.exe 3508 svchost.exe 1008 explorer.exe 1008 explorer.exe 3508 svchost.exe 3508 svchost.exe 1008 explorer.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 3508 svchost.exe 1008 explorer.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 3508 svchost.exe 1008 explorer.exe 1008 explorer.exe 3508 svchost.exe 3508 svchost.exe 1008 explorer.exe 1008 explorer.exe 3508 svchost.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 3508 svchost.exe 1008 explorer.exe 1008 explorer.exe 3508 svchost.exe 3508 svchost.exe 1008 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1008 explorer.exe 3508 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 740 7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe 740 7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe 1008 explorer.exe 1008 explorer.exe 3040 spoolsv.exe 3040 spoolsv.exe 3508 svchost.exe 3508 svchost.exe 3304 spoolsv.exe 3304 spoolsv.exe 1008 explorer.exe 1008 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 740 wrote to memory of 1008 740 7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe explorer.exe PID 740 wrote to memory of 1008 740 7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe explorer.exe PID 740 wrote to memory of 1008 740 7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe explorer.exe PID 1008 wrote to memory of 3040 1008 explorer.exe spoolsv.exe PID 1008 wrote to memory of 3040 1008 explorer.exe spoolsv.exe PID 1008 wrote to memory of 3040 1008 explorer.exe spoolsv.exe PID 3040 wrote to memory of 3508 3040 spoolsv.exe svchost.exe PID 3040 wrote to memory of 3508 3040 spoolsv.exe svchost.exe PID 3040 wrote to memory of 3508 3040 spoolsv.exe svchost.exe PID 3508 wrote to memory of 3304 3508 svchost.exe spoolsv.exe PID 3508 wrote to memory of 3304 3508 svchost.exe spoolsv.exe PID 3508 wrote to memory of 3304 3508 svchost.exe spoolsv.exe PID 3508 wrote to memory of 2300 3508 svchost.exe at.exe PID 3508 wrote to memory of 2300 3508 svchost.exe at.exe PID 3508 wrote to memory of 2300 3508 svchost.exe at.exe PID 3508 wrote to memory of 996 3508 svchost.exe at.exe PID 3508 wrote to memory of 996 3508 svchost.exe at.exe PID 3508 wrote to memory of 996 3508 svchost.exe at.exe PID 3508 wrote to memory of 1500 3508 svchost.exe at.exe PID 3508 wrote to memory of 1500 3508 svchost.exe at.exe PID 3508 wrote to memory of 1500 3508 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 03:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 03:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 03:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
66KB
MD50c85478736376782724bde471a5d81a8
SHA12db2679672a55ba1e66255a61b425b5d5ad48efb
SHA256f46a5a6d9da14b754dd25b5e8febc187818dd37fc48ddf316fb12f274a233399
SHA512d8ba7b6c0df4b16eb2c3b7e05e76b3d173ba8d218776a0c17740d8d4591fd40f92e4d8a2d837fc165dd41bb16ee5380aab9f40968855ef137d235ea6bce880c9
-
C:\Windows\System\spoolsv.exeFilesize
66KB
MD5a082feb7bd11f63855d3c1e942552056
SHA1ae7e37c81b9696615b7095b8aa677068dd2d515c
SHA2562fbb0894be3c5b40e91de3ac82a55f1b07ff1879fe6ec9b558254a42fccf6967
SHA5128039dcc7b2821969fe587e3b51948db745ae0d077b219b7f97dea2e7d163f3237cb618fe917f164b380eea922adfc36ab209b22a9fccf073b571ddb1c841922b
-
C:\Windows\System\svchost.exeFilesize
66KB
MD530cb7b6e05a0ec31e0d6322b22fe2521
SHA1c70a40057d0831ab4338068042203895e4363350
SHA25607c6d77eff74ee9b2101c6ccd7cedda84e8960bf94042ba074fb35c21717b14c
SHA51276ae585e9b0cb2893ddd30c4fde431d01859a903ae0659838abde933180b07815e8d13147a8b4fe6c72183d0e65fe54c322bb903ca828ceda9477b966ef5477b
-
\??\c:\windows\system\explorer.exeFilesize
66KB
MD595e2bfcd5d8b7d06864aafebac513087
SHA1737fec821a741b30c99f3e88bc87b3a025cd7b9a
SHA256475d11a168207beaca65e61f3082398e5af5ff8771fcadcda92878c9d05b42de
SHA5123360196f51800d5044de0f2ffc1a8161202823337168965aa9c7a61b89db8832f5658b3c323b763df6a97f644c68a1db48f837e8faf478017550460033b488bc
-
memory/740-56-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/740-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/740-2-0x0000000075AC0000-0x0000000075C1D000-memory.dmpFilesize
1.4MB
-
memory/740-55-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/740-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/740-5-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/740-1-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1008-69-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1008-13-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1008-58-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1008-14-0x0000000075AC0000-0x0000000075C1D000-memory.dmpFilesize
1.4MB
-
memory/1008-16-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3040-30-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3040-26-0x0000000075AC0000-0x0000000075C1D000-memory.dmpFilesize
1.4MB
-
memory/3040-25-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3040-52-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3304-53-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3304-44-0x0000000075AC0000-0x0000000075C1D000-memory.dmpFilesize
1.4MB
-
memory/3508-42-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3508-60-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/3508-37-0x0000000075AC0000-0x0000000075C1D000-memory.dmpFilesize
1.4MB