Overview

overview

10

Static

static

3

7d617d2227...cs.exe

windows7-x64

10

7d617d2227...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    7d617d2227b39a830549a04ff72de3f0

  • SHA1

    03c9f6ea2c44861a594a4d2c129ad9c9d3551279

  • SHA256

    cf44e81284e501e7f25764461acc98893a96fbb3e8d7ef9fb67d62e05499163e

  • SHA512

    c59b615792b56604ca537860de3084eb8c8d4379990c1c03e507e26b43b6f2d660f57d5a90a658cc871be699f8e815c4d48291b038bb659ff57e373cee798371

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi2:IeklMMYJhqezw/pXzH9i2

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7d617d2227b39a830549a04ff72de3f0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:740
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1008
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3040
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3508
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3304
          • C:\Windows\SysWOW64\at.exe
            at 03:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2300
            • C:\Windows\SysWOW64\at.exe
              at 03:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:996
              • C:\Windows\SysWOW64\at.exe
                at 03:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1500

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Defense Evasion

        Modify Registry

        4
        T1112

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          0c85478736376782724bde471a5d81a8

          SHA1

          2db2679672a55ba1e66255a61b425b5d5ad48efb

          SHA256

          f46a5a6d9da14b754dd25b5e8febc187818dd37fc48ddf316fb12f274a233399

          SHA512

          d8ba7b6c0df4b16eb2c3b7e05e76b3d173ba8d218776a0c17740d8d4591fd40f92e4d8a2d837fc165dd41bb16ee5380aab9f40968855ef137d235ea6bce880c9

          Download Submit
        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          a082feb7bd11f63855d3c1e942552056

          SHA1

          ae7e37c81b9696615b7095b8aa677068dd2d515c

          SHA256

          2fbb0894be3c5b40e91de3ac82a55f1b07ff1879fe6ec9b558254a42fccf6967

          SHA512

          8039dcc7b2821969fe587e3b51948db745ae0d077b219b7f97dea2e7d163f3237cb618fe917f164b380eea922adfc36ab209b22a9fccf073b571ddb1c841922b

          Download Submit
        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          30cb7b6e05a0ec31e0d6322b22fe2521

          SHA1

          c70a40057d0831ab4338068042203895e4363350

          SHA256

          07c6d77eff74ee9b2101c6ccd7cedda84e8960bf94042ba074fb35c21717b14c

          SHA512

          76ae585e9b0cb2893ddd30c4fde431d01859a903ae0659838abde933180b07815e8d13147a8b4fe6c72183d0e65fe54c322bb903ca828ceda9477b966ef5477b

          Download Submit
        • \??\c:\windows\system\explorer.exe
          Filesize

          66KB

          MD5

          95e2bfcd5d8b7d06864aafebac513087

          SHA1

          737fec821a741b30c99f3e88bc87b3a025cd7b9a

          SHA256

          475d11a168207beaca65e61f3082398e5af5ff8771fcadcda92878c9d05b42de

          SHA512

          3360196f51800d5044de0f2ffc1a8161202823337168965aa9c7a61b89db8832f5658b3c323b763df6a97f644c68a1db48f837e8faf478017550460033b488bc

          Download Submit
        • memory/740-56-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

          Download
        • memory/740-3-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/740-2-0x0000000075AC0000-0x0000000075C1D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/740-55-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/740-0-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/740-5-0x0000000000401000-0x000000000042E000-memory.dmp
          Filesize

          180KB

          Download
        • memory/740-1-0x00000000001C0000-0x00000000001C4000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1008-69-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1008-13-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1008-58-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/1008-14-0x0000000075AC0000-0x0000000075C1D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1008-16-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3040-30-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3040-26-0x0000000075AC0000-0x0000000075C1D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3040-25-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3040-52-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3304-53-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3304-44-0x0000000075AC0000-0x0000000075C1D000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3508-42-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3508-60-0x0000000000400000-0x0000000000431000-memory.dmp
          Filesize

          196KB

          Download
        • memory/3508-37-0x0000000075AC0000-0x0000000075C1D000-memory.dmp
          Filesize

          1.4MB

          Download